Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub Workflows security hardening #4586

Merged
merged 3 commits into from
Oct 31, 2022
Merged

GitHub Workflows security hardening #4586

merged 3 commits into from
Oct 31, 2022

Conversation

sashashura
Copy link
Contributor

Please check if what you want to add to awesome-go list meets quality standards before sending pull request. Thanks!

Please provide package links to:

  • repo link (github.com, gitlab.com, etc):
  • pkg.go.dev:
  • goreportcard.com:
  • coverage service link (codecov, coveralls, gocover etc.):

Note: that new categories can be added only when there are 3 packages or more.

Make sure that you've checked the boxes below that apply before you submit PR.
Not every repository (project) will require every option, but most projects should. Check the Contribution Guidelines for details.

  • The package has been added to the list in alphabetical order.
  • The package has an appropriate description with correct grammar.
  • As far as I know, the package has not been listed here before.
  • The repo documentation has a pkg.go.dev link.
  • The repo documentation has a coverage service link.
  • The repo documentation has a goreportcard link.
  • The repo has a version-numbered release and a go.mod file.
  • I have read the Contribution Guidelines, Maintainers Note and Quality Standards.
  • The repo has a continuous integration process that automatically runs tests that must pass before new pull requests are merged.
  • The authors of the project do not commit directly to the repo, but rather use pull requests that run the continuous-integration process.

Thanks for your PR, you're awesome! 👍

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

@sashashura
build: harden tests.yaml permissions
2a4f08d 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@sashashura
build: harden site-deploy.yaml permissions
ca3e3fc 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@sashashura
build: harden run-check.yaml permissions
e18651a 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@avelino
Copy link
Owner

avelino commented Oct 30, 2022

Thank you for contributing with awesome-go, we will revise your contribution as soon as possible.

Automation body links content check:

  • godoc.org or pkg.go.dev: True
  • goreportcard.com: False
  • coverage: True

your project is about to be approved, it's under revision, it may take a few days

@phanirithvij phanirithvij merged commit 6c1da6d into avelino:main Oct 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sashashura @avelino @phanirithvij