ci: restrict default GITHUB_TOKEN to contents:read in update-templates workflow#806
ci: restrict default GITHUB_TOKEN to contents:read in update-templates workflow#806l2ysho wants to merge 1 commit into
Conversation
…s workflow Closes code-scanning alert #15 (actions/missing-workflow-permissions). All privileged operations in this workflow already use the explicit APIFY_SERVICE_ACCOUNT_GITHUB_TOKEN PAT; the default GITHUB_TOKEN is unused and can be safely locked down to least privilege.
l2ysho
added
adhoc
DaveHanns
left a comment
DaveHanns
left a comment
There was a problem hiding this comment.
Suggestion: let's figure out whether we can lower the access scope repo-wide via https://github.com/apify/actor-templates/settings/actions.
We should, ideally, use the org account PAT for sensitive actions anyway.
Good call, I changed it to read, lets see if something breaks. |
Reverting this back to read/write because it break Apify pull request toolkit which is defined in another repo apify/workflows. Probably it is worth to discuss about changing default permissions to read company-wide to honor least privilege principle 🤔 |
Good finding. Feel free to present this at the next platform symposium. |
4 participants
Closes code-scanning alert https://github.com/apify/actor-templates/security/code-scanning/15 actions/missing-workflow-permissions).
All privileged operations in this workflow already use the explicit
APIFY_SERVICE_ACCOUNT_GITHUB_TOKEN PAT; the default GITHUB_TOKEN is unused
and can be safely locked down to least privilege.