Unverified Commit a29bc691 authored by Landon James's avatar Landon James Committed by GitHub
Browse files

Scope `GITHUB_TOKEN` permissions (#4084) 

## Description
This PR does a few things related to scoping our tokens:
* Add a `- uses: GitHubSecurityLab/actions-permissions/monitor@v1` to
most of our actions so we can get ongoing summaries of the permissions
each action is using. Some actions, like Windows tests and the TLS
tests, are excluded because they are not supported or the proxy it uses
breaks the test.
* Add explicit `permissions` scoping to various jobs that need it.
* Although not part of the PR I have changed our Workflow Permissions
(in Settings > Actions > General > Workflow Permissions) from defaulting
to Read/Write to Read Only.


## Testing
<!--- Please describe in detail how you tested your changes -->
<!--- Include details of your testing environment, and the tests you ran
to -->
<!--- see how your change affects other areas of the code, etc. -->
* The CI for this PR ran successfully (except the Canary, but that
appears to be an issue unrelated to this PR)
* A dry-run release using the workflows from this branch succeeded
https://github.com/smithy-lang/smithy-rs/actions/runs/14275005243
* Various other manually runnable actions tested against this branch:
* Daily credentials verification:
https://github.com/smithy-lang/smithy-rs/actions/runs/14288824835
* Update lockfiles:
https://github.com/smithy-lang/smithy-rs/actions/runs/14288809742
* Invoke canary (failed but not for permissions reasons):
https://github.com/smithy-lang/smithy-rs/actions/runs/14288631692

**Note:** I did not test the prod release workflow for obvious reasons.
It might need permissions added next time it is invoked. I will cut a
release as a follow up to this PR to see if anything needs updating

## Checklist

----

_By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice._
parent 18e06e0a

.github/workflows/backport-pull-request.yml

+1 −0
Original line number Diff line number Diff line
@@ -19,6 +19,7 @@ jobs: 
  create-backport-pull-request:

    runs-on: ubuntu-latest

    steps:

    - uses: GitHubSecurityLab/actions-permissions/monitor@v1

    - name: Checkout

      uses: actions/checkout@v4

      with:

.github/workflows/ci-main.yml

+7 −0
Original line number Diff line number Diff line
@@ -18,6 +18,12 @@ concurrency: 
env:

  ecr_repository: public.ecr.aws/w0m4q9l7/github-awslabs-smithy-rs-ci



permissions:

  actions: read

  contents: read

  id-token: write

  pull-requests: read



jobs:

  # Build and upload the Docker build image if necessary

  acquire-base-image:
@@ -30,6 +36,7 @@ jobs: 
      id-token: write

      contents: read

    steps:

    - uses: GitHubSecurityLab/actions-permissions/monitor@v1

    - name: Checkout

      uses: actions/checkout@v4

    - name: Acquire credentials

.github/workflows/ci-merge-queue.yml

+8 −0
Original line number Diff line number Diff line
@@ -16,6 +16,12 @@ concurrency: 
env:

  ecr_repository: public.ecr.aws/w0m4q9l7/github-awslabs-smithy-rs-ci



permissions:

  actions: read

  contents: read

  id-token: write

  pull-requests: read



jobs:

  # This job will, if possible, save a docker login password to the job outputs. The token will

  # be encrypted with the passphrase stored as a GitHub secret. The login password expires after 12h.
@@ -31,6 +37,7 @@ jobs: 
    continue-on-error: true

    runs-on: ubuntu-latest

    steps:

    - uses: GitHubSecurityLab/actions-permissions/monitor@v1

    - name: Attempt to load a docker login password

      uses: aws-actions/configure-aws-credentials@v4

      with:
@@ -60,6 +67,7 @@ jobs: 
      id-token: write

      contents: read

    steps:

    - uses: GitHubSecurityLab/actions-permissions/monitor@v1

    - uses: actions/checkout@v4

      with:

        path: smithy-rs

.github/workflows/ci-pr-forks.yml

+10 −0
Original line number Diff line number Diff line
@@ -12,6 +12,12 @@ concurrency: 
  group: ci-forks-yaml-${{ github.ref }}

  cancel-in-progress: true



permissions:

  actions: read

  contents: read

  id-token: write

  pull-requests: read



jobs:

  # This job detects if the PR made changes to build tools. If it did, then it builds a new

  # build Docker image. Otherwise, it downloads a build image from Public ECR. In both cases,
@@ -19,9 +25,13 @@ jobs: 
  acquire-base-image:

    name: Acquire Base Image

    if: ${{ github.event.pull_request.head.repo.full_name != 'smithy-lang/smithy-rs' }}

    permissions:

      id-token: write

      contents: read

    runs-on: ubuntu-latest

    timeout-minutes: 60

    steps:

    - uses: GitHubSecurityLab/actions-permissions/monitor@v1

    - uses: actions/checkout@v4

      with:

        path: smithy-rs

.github/workflows/ci-pr.yml

+11 −1
Original line number Diff line number Diff line
@@ -15,6 +15,12 @@ concurrency: 
env:

  ecr_repository: public.ecr.aws/w0m4q9l7/github-awslabs-smithy-rs-ci



permissions:

  actions: read

  contents: read

  id-token: write

  pull-requests: write



jobs:

  # This job will, if possible, save a docker login password to the job outputs. The token will

  # be encrypted with the passphrase stored as a GitHub secret. The login password expires after 12h.
@@ -31,6 +37,7 @@ jobs: 
    continue-on-error: true

    runs-on: ubuntu-latest

    steps:

    - uses: GitHubSecurityLab/actions-permissions/monitor@v1

    - name: Attempt to load a docker login password

      uses: aws-actions/configure-aws-credentials@v4

      with:
@@ -45,7 +52,6 @@ jobs: 
        )

        echo "docker-login-password=$ENCRYPTED_PAYLOAD" >> $GITHUB_OUTPUT





  # This job detects if the PR made changes to build tools. If it did, then it builds a new

  # build Docker image. Otherwise, it downloads a build image from Public ECR. In both cases,

  # it uploads the image as a build artifact for other jobs to download and use.
@@ -62,6 +68,7 @@ jobs: 
      id-token: write

      contents: read

    steps:

    - uses: GitHubSecurityLab/actions-permissions/monitor@v1

    - uses: actions/checkout@v4

      with:

        path: smithy-rs
@@ -112,6 +119,8 @@ jobs: 


  semver-checks:

    name: Check PR semver compliance

    permissions:

      pull-requests: read

    runs-on: smithy_ubuntu-latest_8-core

    timeout-minutes: 20

    needs:
@@ -124,6 +133,7 @@ jobs: 
      !contains(needs.*.result, 'failure') &&

      !contains(needs.*.result, 'cancelled')

    steps:

    - uses: GitHubSecurityLab/actions-permissions/monitor@v1

    - uses: actions/checkout@v4

      with:

        path: smithy-rs