Add the GitHubSecurityLab/actions-permissions/monitor Action
#190
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This Action will provide information about the usage of GITHUB_TOKEN in the workflow. It should be added to _every_ job in _any_ workflow to provide information for analysis.
mcdonnnj
added
improvement
dv4harr10
approved these changes
Oct 29, 2024
jsf9k
approved these changes
Oct 29, 2024
felddy
approved these changes
Oct 29, 2024
There was a problem hiding this comment.
Looks good. Way to take the initiative. 💪
I'm glad it isn't conflicting with the step-security/harden-runner which also proxies the API. I like this because it is more "in your face". The harden-runner is more subtle. Scroll to bottom of the runner's recommendations for this PR to see:
I thought the harden-runner used to be louder about its recommendations. Maybe this has moved behind the commercial license?
mcdonnnj
added
the
kraken 🐙
mcdonnnj
added
the
hacktoberfest-accepted
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🗣 Description
This pull request adds the GitHubSecurityLab/actions-permissions/monitor Action to the GitHub Actions workflows.
Note
I have added an organization variable called
ACTIONS_PERMISSIONS_CONFIGto provide a default configuration across the organization. Repositories can change this as needed for their own purposes. The default configuration as of this pull request is:{ "create_artifact": true, "debug": false, "enabled": true }💭 Motivation and context
We have upcoming changes to the default permissions for
GITHUB_TOKENin our organization per the discussion. This Action will help repository maintainers determine the privileges necessary for their GitHub Actions configurations.Note
Once the GitHubSecurityLab/actions-permissions/monitor Action is deployed and generating artifacts you can use the GitHubSecurityLab/actions-permissions/advisor Action either in your GitHub Actions configuration or directly on the command line (see the directions in the Action's README). This will allow you to compare permissions across multiple successful workflow runs to generate aggregate suggested permissions.
🧪 Testing
Automated tests pass. I verified the Action is running successfully by checking the run logs.
✅ Pre-approval checklist