Fix token permissions for 100 critical open-source projects

[varunsh-coder]

This issue is to track progress on adding GitHub token permissions to workflows for critical open source projects.

OSSF has a working group to identify critical projects and calculate criticality score: https://github.com/ossf/wg-securing-critical-projects

The list of top 100 projects is here: https://docs.google.com/spreadsheets/d/1ONZ4qeMq8xmeCHX03lIgIYE4MEXVfVL6oj05lbuXTDM/edit#gid=1024997528

[varunsh-coder]

Adding list of PRs:

1-10

• 🏗ci: Add GitHub token permissions for workflows ampproject/amphtml#38019
• ci: Add GitHub token permissions for workflows ant-design/ant-design#34946
• ci: Add GitHub token permissions for workflow caolan/async#1829
• ci: Add GitHub token permissions for workflows babel/babel#14539
• ci: Add GitHub token permissions for workflows apache/commons-codec#131
• ci: Add GitHub token permissions for workflows apache/commons-lang#894
• ci: add GitHub token permissions python/cpython#92999
• ci: Add GitHub token permissions for workflows electron/electron#34298
• chore(stale-action): Add GitHub token permissions gatsbyjs/gatsby#35713
• ci: Add GitHub token permissions for workflows rails/rails#45150

11-20

• ci: Add GitHub token permissions for workflows DefinitelyTyped/DefinitelyTyped#61065
• ci: Add GitHub token permissions for workflows gradle/gradle#21162
• ci: Add GitHub token permissions for workflows Homebrew/homebrew-core#105003
• ci: Add GitHub token permissions for workflows Homebrew/homebrew-bundle#1098
• ci: Add GitHub token permissions for workflows symfony/symfony#46832
• ci: Add GitHub token permissions for workflows facebook/react-native#34122
• ci: Add GitHub token permissions for workflows Homebrew/homebrew-cask#127104
• ci: Add GitHub token permissions for workflows NixOS/nixpkgs#180751
• ci: add GitHub token permissions for workflows pandas-dev/pandas#47652
• ci: add GitHub token permissions for workflow FasterXML/jackson-core#792

21-30

• build: add GitHub token permissions for workflows nodejs/node#43743
• ci: Add GitHub token permissions for workflows openssl/openssl#18766
• ci: add GitHub token permissions for workflow mrdoob/three.js#24332
• ci: add GitHub token permissions for workflow qos-ch/slf4j#293
• ci: add GitHub token permissions for workflow webpack/webpack#16033
• ci: add GitHub token permissions for workflow qos-ch/logback#579
• ci: add GitHub token permissions for workflows nodejs/readable-stream#479
• ci: add GitHub token permissions for workflow joomla/joomla-cms#38256
• ci: add GitHub token permissions for workflow google/guava#6106
• ci: add GitHub token permissions for workflows saltstack/salt#62317

31-40

• (maint) ci: add GitHub token permissions for workflows puppetlabs/puppet#8924
• ci: add GitHub token permissions for workflows PowerShell/PowerShell#17781
• [GitHub][workflows] Add minimum GitHub token permissions xbmc/xbmc#21782
• [GitHub] Add minimum GitHub token permissions for workflows tasks/tasks#1975
• [GitHub] Add minimum token permissions for workflow tensorflow/models#10749
• ci: Add minimum GitHub token permissions for workflows zulip/zulip#22786
• ci: add GitHub token permissions for workflow elastic/elasticsearch#89490
• [GitHub] Add minimum GitHub token permissions for workflows jetty/jetty.project#8499
• [actions] add minimum GitHub token permissions for workflows import-js/eslint-plugin-import#2547
• Add minimum GitHub token permissions for workflows rbenv/ruby-build#2041

41 - 50

• Restrict permissions for GitHub action spring-projects/spring-framework#29104
• ci: add minimum GitHub token permissions for workflows hashicorp/packer#11973
• ci: add minimum GitHub token permissions for workflow facebook/hhvm#9177
• ci: add minimum GitHub token permissions for workflows mastodon/mastodon#19138
• ci: add minimum GitHub token permissions for workflows webpack-contrib/css-loader#1470
• ci: add minimum GitHub token permissions for workflows openSUSE/open-build-service#13057
• ci: add minimum GitHub token permissions for workflows argoproj/argo-workflows#9552
• ci: add minimum GitHub token permissions for workflows humhub/humhub#5857
• ci: add minimum GitHub token permissions for workflows KratosMultiphysics/Kratos#10247
• ci: add minimum GitHub token permissions for workflow ckan/ckan#7070

51 - 60

• ci: add minimum GitHub token permissions for workflows juju/juju#14587
• ci: add minimum GitHub token permissions for workflows zaproxy/zaproxy#7452
• ci: add minimum GitHub token permissions for workflows mattermost/mattermost#20975
• ci: add minimum GitHub token permissions for workflow xonsh/xonsh#4936
• ci: add minimum GitHub at the workflow level for pip-tools.yaml readthedocs/readthedocs.org#9617
• ci: add minimum GitHub token permissions for workflows mruby/mruby#5798
• ci: add minimum GitHub token permissions for workflows pwsafe/pwsafe#885
• ci: add minimum GitHub token permissions for workflow sweetalert2/sweetalert2#2512
• ci: add minimum GitHub token permissions for workflow aspnetboilerplate/aspnetboilerplate#6559
• ci: add minimum GitHub token permissions for workflows node-red/node-red#3907

61 - 70

• ci: add minimum GitHub token permissions for workflow sindresorhus/got#2154
• ci: add minimum GitHub token permissions for workflows composer/installers#515
• NIFI-10575 add minimum GitHub token permissions for workflows apache/nifi#6469
• ci: add minimum GitHub token permissions for workflow factor/factor#2696
• ci: add minimum GitHub token permissions for workflow mavlink/mavlink#1898
• ci: add minimum GitHub token permissions for workflows tokio-rs/tokio#5072
• ci: add minimum GitHub token permissions for workflows stan-dev/math#2819
• ci: add minimum GitHub token permissions for workflows NodeBB/NodeBB#10933
• ci: add minimum GitHub token permissions for workflows trilinos/Trilinos#11092
• CI: Update GitHub token permissions for templates workflow GoogleForCreators/web-stories-wp#12269

71 - 80

• ci: add GitHub token permissions for workflow faisalman/ua-parser-js#583
• CI: Add GitHub token permissions for workflows twbs/bootstrap#36325
• chore(ci): add minimum GitHub token permissions for workflows PyCQA/isort#1969
• Add minimum GitHub token permissions for workflows apache/accumulo#2926
• ci: add GitHub token permissions for workflows rubocop/rubocop#10947
• ci: Add minimum GitHub token permissions for workflows ccache/ccache#1159
• add minimum GitHub token permissions for workflows apache/thrift#2664
• Add minimum GitHub token permissions for workflow halide/Halide#7011
• ci: add minimum GitHub token permissions for workflows spf13/cobra#1792
• ci: add GitHub token permissions for workflow facebook/rocksdb#10549

81 - 90

• ci: add minimum GitHub token permissions for workflows prometheus/prometheus#11285
• ci: add minimum GitHub token permissions for workflow kubernetes/dashboard#7430
• ci: add minimum GitHub token permissions for workflows javaparser/javaparser#3685
• ci: add minimum GitHub token permissions for workflows libgdx/libgdx#6984
• ci: add minimum GitHub token permissions for workflows psf/requests#6236
• .github/workflows: add GitHub token permissions for workflows ceph/ceph#47176
• ci: Add GitHub token permissions for workflows home-assistant/core#74331
• ci: add minimum GitHub token permissions for workflows python/mypy#13645
• ci: add minimum GitHub token permissions for workflows python/mypy#13645
• ci: add minimum GitHub token permissions for workflows isaacs/inherits#49

91 - 100

• ci: add minimum GitHub token permissions for workflows swagger-api/swagger-ui#8169
• Add minimum GitHub token permissions for workflows knex/knex#5318
• Add minimum GitHub token permissions for workflow globalize/globalize#803
• ci: add GitHub token permissions for workflow cockroachdb/cockroach#86536
• ci: Add GitHub token permissions for workflows apache/maven#745
• [GitHub] Add minimum GitHub token permission for workflow spree/spree#11757
• ci: add minimum GitHub token permissions for workflows flowable/flowable-engine#3478
• ci: add minimum GitHub token permissions for workflows openemr/openemr#5801
• ci: add minimum GitHub token permissions for workflows rust-lang/rustfmt#5557
• ci: add minimum GitHub token permissions for workflows open-mmlab/mmdetection#8928

101 - 110

• ci: add minimum GitHub token permissions for workflows pallets/flask#4830
• ci: add minimum GitHub token permissions for workflow tensorflow/probability#1630
• ci: add minimum GitHub token permissions for workflow hakimel/reveal.js#3292
• ci: add minimum GitHub token permissions for workflows apache/ignite#10283
• ci: add minimum GitHub token permissions for workflow tox-dev/tox#2510
• ci: add minimum GitHub token permissions for workflow apache/tomcat#554
• ci: add minimum GitHub token permissions for workflows nuxt/nuxt#10734
• ci: add minimum GitHub token permissions for workflows marmelab/react-admin#8225
• ci: add minimum GitHub token permissions for workflow codemirror/codemirror5#6989
• ci: add minimum GitHub token permissions for workflows pallets/werkzeug#2527

111- 120

• ci: add minimum GitHub token permissions for workflow nodejs/node-v8#241
• ci: add minimum GitHub token permissions for workflow syncthing/syncthing#8574
• ci: add minimum GitHub token permissions for workflow qt/qtbase#78
• ci: add minimum GitHub token permissions for workflows hashicorp/vagrant#12932
• ci: add minimum GitHub token permissions for workflow bigbluebutton/bigbluebutton#15767
• ci: add minimum GitHub token permissions for workflows hashicorp/terraform#31922
• ci: add minimum GitHub token permissions for workflow kubernetes/website#37133
• ci: add minimum GitHub token permissions for workflow ant-design/ant-design#37845
• ci: add minimum GitHub token permissions for workflow google/cadvisor#3180

Closed PRs

• ci: Add GitHub token permissions for workflows laravel/framework#42472
• ci: Add GitHub token permissions for workflows Homebrew/homebrew-cask-versions#14240
• CI: add GitHub token permissions for workflows ArduPilot/ardupilot#21505
• ci: add minimum GitHub token permissions for workflows ReactiveX/RxJava#7469

[danielroe]

This is a helpful prompt but I think you should instead be recommending enabling restrictive permissions by default for the entire organisation rather than adding these lines to every repo workflow file. I feel this is more secure and better practice.

See https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization.

With the more restrictive permissions, the token only has access to read contents and metadata.

[davidism]

Stop spamming repositories. Ask before running automated tools. https://twitter.com/di_codes/status/1567559370078052353, https://twitter.com/jacobian/status/1570188260592463872

Also agree with the comment above, push for better defaults, not changes to every single workflow file.

[ashishkurmi]

Thanks @davidism for the feedback. We have been working with maintainers of critical open-source projects since April (the first PR on this issue) to address security issues related to elevated GitHub token permissions. Our fix acceptance rate is quite high as you can see from the list of PRs above and many critical open-source projects have benefited from these fixes. We had not heard of this concern before. Going forward, would it be better if we create an issue first to discuss such security remediations with project maintainers?

[davidism]

What you're doing is not "working with maintainers", it's "spamming maintainers then hoping they go along with it so we can point at the acceptance rate." Yes, you should ask first, in a non-spammy, non-automated way, if maintainers want to participate in your automated PRs. You don't even need to make PRs, just use your team to open issues discussing the concern, as any non-company open source user would.

[davidism]

Your PRs aren't really fixing anything long term, as soon as maintainers create a new workflow they'll have the same permission issue. You should be telling them to enable better defaults, then opt in to more permissions, so they don't need the PRs in the first place.

[ashishkurmi]

This is a good idea. The problem is that if workflows that need write access are not fixed by adding explicit permissions, and this change it made at the repo/org level, those workflows will not work as intended.

We can clarify this as part of future issues/ PRs - to first add explicit permissions to workflows that need write access, and after that turn on the setting at the repo/org level, so future workflows are secure by default.

Otherwise, one might follow the recommendation to only turn this on at the repo/ org level, and it might break some of the workflows

This is a helpful prompt but I think you should instead be recommending enabling restrictive permissions by default for the entire organisation rather than adding these lines to every repo workflow file. I feel this is more secure and better practice.

See https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization.

With the more restrictive permissions, the token only has access to read contents and metadata.