Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-10575

Set GitHub Action Workflow token to the least privileged level

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 1.18.0
    • Tools and Build
    • None

    Description

      Currently, the GitHub token associated with apache/nifi workflows are elevated. Here is an example of elevated GitHub token:

      https://github.com/apache/nifi/actions/runs/3167551611/jobs/5158128990#step:1:19

      The token permissions should be adjusted to include only the required permissions.

      Motivation and Context

      • This is a security best practice, so if the GITHUB_TOKEN is compromised due to a vulnerability or compromised Action, the damage will be reduced.
      • GitHub recommends defining minimum GITHUB_TOKEN permissions.
      • The Open Source Security Foundation (OpenSSF) Scorecards also treats not setting token permissions as a high-risk issue. This change will help increase the Scorecard score for this repository

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #6469

          Activity

            People

              akurmi Ashish Kurmi
              akurmi Ashish Kurmi
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 10m
                  10m