security: add permissions block to workflows #3875
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
agent-nodejs
trentm
approved these changes
Feb 20, 2024
trentm
reviewed
Feb 27, 2024
Comment on lines
+10
to
+11
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
I think I got review incorrect on this. This workflow needs write permission to the issue/PR to add a label. I'm not sure if that is being limited by this permissions: ... addition.
Recently two PRs have had this labeler workflow fail:
https://github.com/elastic/apm-agent-nodejs/actions/runs/8042135103/job/22024012622?pr=3882
https://github.com/elastic/apm-agent-nodejs/actions/runs/8042141883/job/21962393814?pr=3883
Run AlexanderWert/issue-labeler@v2.3
with:
repo-token: ***
configuration-path: .github/labeler-config.yml
enable-versioned-regex: 0
env:
MY_GITHUB_TOKEN: ***
Adding labels agent-nodejs to issue #3882
/home/runner/work/_actions/AlexanderWert/issue-labeler/v2.3/node_modules/@octokit/request/dist-node/index.js:66
const error = new requestError.RequestError(message, status, {
^
RequestError [HttpError]: Resource not accessible by integration
at /home/runner/work/_actions/AlexanderWert/issue-labeler/v2.3/node_modules/@octokit/request/dist-node/index.js:66:23
at processTicksAndRejections (node:internal/process/task_queues:96:5) {
status: 403,
headers: {
'access-control-allow-origin': '*',
'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
connection: 'close',
'content-encoding': 'gzip',
'content-security-policy': "default-src 'none'",
'content-type': 'application/json; charset=utf-8',
date: 'Tue, 27 Feb 2024 10:12:23 GMT',
'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
server: 'GitHub.com',
'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
'transfer-encoding': 'chunked',
vary: 'Accept-Encoding, Accept, X-Requested-With',
'x-accepted-github-permissions': 'issues=write; pull_requests=write',
'x-content-type-options': 'nosniff',
'x-frame-options': 'deny',
'x-github-api-version-selected': '2022-11-28',
'x-github-media-type': 'github.v3; format=json',
'x-github-request-id': 'D084:4803:180CFA2:2FA3CB1:65DDB587',
'x-ratelimit-limit': '15000',
'x-ratelimit-remaining': '14998',
'x-ratelimit-reset': '1709032343',
'x-ratelimit-resource': 'core',
'x-ratelimit-used': '2',
'x-xss-protection': '0'
},
request: {
method: 'POST',
url: 'https://api.github.com/repos/elastic/apm-agent-nodejs/issues/3882/labels',
headers: {
accept: 'application/vnd.github.v3+json',
'user-agent': 'octokit.js/16.43.2 Node.js/16.20.2 (Linux 6.2; x64)',
authorization: 'token [REDACTED]',
'content-type': 'application/json; charset=utf-8'
},
body: '{"labels":["agent-nodejs"]}',
request: {
hook: [Function: bound bound register],
validate: {
issue_number: { required: true, type: 'integer' },
labels: { required: true, type: 'string[]' },
number: { alias: 'issue_number', deprecated: true, type: 'integer' },
owner: { required: true, type: 'string' },
repo: { required: true, type: 'string' }
}
}
},
documentation_url: 'https://docs.github.com/rest/issues/labels#add-labels-to-an-issue'
}
I don't know that this is about this change, but it seems related.
trentm
added a commit
that referenced
this pull request
Feb 27, 2024
trentm
added a commit
that referenced
this pull request
Feb 27, 2024
PeterEinberger
pushed a commit
to fpm-git/apm-agent-nodejs
that referenced
this pull request
Aug 20, 2024
PeterEinberger
pushed a commit
to fpm-git/apm-agent-nodejs
that referenced
this pull request
Aug 20, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Details
We want to set the default permissions for workflows to read-only for contents.
This is a security measure to prevent accidental changes to the repository.
This change adds a top-level permissions block to all workflows in the .github/workflows directory.
In some cases workflows might need more permissions than just
contents: read.Please checkout this branch and add the necessary permissions to the workflows.
If your workflow uses a Personal Access Token (PAT), we can still add the permissions block,
but it will not have any effect.
Merging this PR as is might cause workflows that need more permissions to fail.
If there are any questions, please reach out to the @elastic/observablt-ci