Skip to content

Commit 2b51f5e

Browse files
mkolasinski-splunkmkolasinski-splunk
authored
feat: GITHUB_TOKEN permissions alignment (#146)
* ci: update semantic release action version, GITHUB_TOKEN policy alignment, minor refactor * chore: update README * chore: downgrade CLA permissions
1 parent 96f1d31 commit 2b51f5e

File tree

4 files changed

+146
-16
lines changed

4 files changed

+146
-16
lines changed

.github/workflows/agreements.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,11 @@ on:
88
jobs:
99
call-workflow-agreements:
1010
uses: splunk/addonfactory-github-workflows/.github/workflows/[email protected]
11+
permissions:
12+
actions: read
13+
contents: read
14+
pull-requests: read
15+
statuses: read
1116
secrets:
1217
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
1318
PERSONAL_ACCESS_TOKEN: ${{ secrets.PAT_CLATOOL }}

.github/workflows/build-test-release.yaml

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,12 @@ on:
99
- "v[0-9]+.[0-9]+.[0-9]+"
1010
pull_request:
1111
branches: [main, develop]
12-
12+
permissions:
13+
contents: write
14+
packages: read
15+
pull-requests: read
16+
statuses: write
1317
jobs:
14-
1518
compliance-copyrights:
1619
name: Compliance Copyright Headers
1720
runs-on: ubuntu-latest
@@ -48,9 +51,13 @@ jobs:
4851
persist-credentials: false
4952
- name: Semantic Release
5053
uses: splunk/[email protected]
51-
5254
env:
5355
GITHUB_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }}
56+
with:
57+
git_committer_name: ${{ secrets.SA_GH_USER_NAME }}
58+
git_committer_email: ${{ secrets.SA_GH_USER_EMAIL }}
59+
gpg_private_key: ${{ secrets.SA_GPG_PRIVATE_KEY }}
60+
passphrase: ${{ secrets.SA_GPG_PASSPHRASE }}
5461

5562
update-semver:
5663
name: Move Respository semver tags

.github/workflows/reusable-build-test-release.yml

Lines changed: 116 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -13,9 +13,6 @@ on:
1313
GH_TOKEN_ADMIN:
1414
description: Github admin token
1515
required: true
16-
GH_TOKEN:
17-
description: Github token
18-
required: true
1916
SEMGREP_PUBLISH_TOKEN:
2017
description: Semgrep token
2118
required: true
@@ -43,7 +40,21 @@ on:
4340
SKYNET_TOKEN:
4441
description: API token for Skynet
4542
required: false
46-
43+
SA_GH_USER_NAME:
44+
description: GPG signature username
45+
required: true
46+
SA_GH_USER_EMAIL:
47+
description: GPG signature user email
48+
required: true
49+
SA_GPG_PRIVATE_KEY:
50+
description: GPG signature private key
51+
required: true
52+
SA_GPG_PASSPHRASE:
53+
description: GPG signature passphrase
54+
required: true
55+
permissions:
56+
contents: read
57+
packages: read
4758
jobs:
4859
setup-workflow:
4960
runs-on: ubuntu-latest
@@ -145,6 +156,9 @@ jobs:
145156
matrix_supportedSC4S: ${{ steps.matrix.outputs.supportedSC4S }}
146157
matrix_supportedModinputFunctionalVendors: ${{ steps.matrix.outputs.supportedModinputFunctionalVendors }}
147158
matrix_supportedUIVendors: ${{ steps.matrix.outputs.supportedUIVendors }}
159+
permissions:
160+
contents: write
161+
packages: read
148162
steps:
149163
- name: Checkout
150164
uses: actions/checkout@v3
@@ -156,8 +170,12 @@ jobs:
156170
uses: splunk/[email protected]
157171
with:
158172
dry_run: true
173+
git_committer_name: ${{ secrets.SA_GH_USER_NAME }}
174+
git_committer_email: ${{ secrets.SA_GH_USER_EMAIL }}
175+
gpg_private_key: ${{ secrets.SA_GPG_PRIVATE_KEY }}
176+
passphrase: ${{ secrets.SA_GPG_PASSPHRASE }}
159177
env:
160-
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
178+
GITHUB_TOKEN: ${{ github.token }}
161179
- name: Docker meta
162180
id: docker_action_meta
163181
uses: docker/[email protected]
@@ -280,6 +298,9 @@ jobs:
280298
- fossa-scan
281299
outputs:
282300
buildname: ${{ steps.buildupload.outputs.name }}
301+
permissions:
302+
contents: write
303+
packages: read
283304
steps:
284305
- uses: actions/checkout@v3
285306
with:
@@ -333,8 +354,12 @@ jobs:
333354
uses: splunk/[email protected]
334355
with:
335356
dry_run: true
357+
git_committer_name: ${{ secrets.SA_GH_USER_NAME }}
358+
git_committer_email: ${{ secrets.SA_GH_USER_EMAIL }}
359+
gpg_private_key: ${{ secrets.SA_GPG_PRIVATE_KEY }}
360+
passphrase: ${{ secrets.SA_GPG_PASSPHRASE }}
336361
env:
337-
GITHUB_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }}
362+
GITHUB_TOKEN: ${{ github.token }}
338363
- name: Determine the version to build
339364
id: BuildVersion
340365
uses: splunk/addonfactory-get-splunk-package-version-action@v1
@@ -443,6 +468,13 @@ jobs:
443468
matrix:
444469
python-version:
445470
- "3.7"
471+
permissions:
472+
actions: read
473+
deployments: read
474+
contents: read
475+
packages: read
476+
statuses: read
477+
checks: write
446478
steps:
447479
- uses: actions/checkout@v3
448480
- name: Setup python
@@ -500,6 +532,13 @@ jobs:
500532
needs:
501533
- build
502534
- test-inventory
535+
permissions:
536+
actions: read
537+
deployments: read
538+
contents: read
539+
packages: read
540+
statuses: read
541+
checks: write
503542
steps:
504543
- uses: actions/checkout@v3
505544
- name: Install Python 3
@@ -567,6 +606,9 @@ jobs:
567606
- meta
568607
outputs:
569608
artifact: ${{ steps.artifactid.outputs.result }}
609+
permissions:
610+
contents: read
611+
packages: write
570612
steps:
571613
- uses: actions/checkout@v3
572614
- uses: actions/download-artifact@v3
@@ -591,7 +633,7 @@ jobs:
591633
with:
592634
registry: ghcr.io
593635
username: ${{ github.actor }}
594-
password: ${{ secrets.GH_TOKEN }}
636+
password: ${{ github.token }}
595637
- name: Docker meta
596638
id: meta
597639
uses: docker/[email protected]
@@ -717,6 +759,13 @@ jobs:
717759
SPLUNK_VERSION_BASE: ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}
718760
TEST_TYPE: "knowledge"
719761
TEST_ARGS: ""
762+
permissions:
763+
actions: read
764+
deployments: read
765+
contents: read
766+
packages: read
767+
statuses: read
768+
checks: write
720769
steps:
721770
- uses: actions/checkout@v3
722771
with:
@@ -916,6 +965,13 @@ jobs:
916965
ARGO_NAMESPACE: ${{ needs.setup.outputs.argo-namespace }}
917966
TEST_TYPE: "requirement_test"
918967
TEST_ARGS: ""
968+
permissions:
969+
actions: read
970+
deployments: read
971+
contents: read
972+
packages: read
973+
statuses: read
974+
checks: write
919975
steps:
920976
- uses: actions/checkout@v3
921977
with:
@@ -1097,6 +1153,13 @@ jobs:
10971153
SPLUNK_VERSION_BASE: ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}
10981154
TEST_TYPE: "ui"
10991155
TEST_ARGS: "--browser ${{ matrix.browser }}"
1156+
permissions:
1157+
actions: read
1158+
deployments: read
1159+
contents: read
1160+
packages: read
1161+
statuses: read
1162+
checks: write
11001163
steps:
11011164
- uses: actions/checkout@v3
11021165
with:
@@ -1285,6 +1348,13 @@ jobs:
12851348
SPLUNK_VERSION_BASE: ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}
12861349
TEST_TYPE: "modinput_functional"
12871350
TEST_ARGS: ""
1351+
permissions:
1352+
actions: read
1353+
deployments: read
1354+
contents: read
1355+
packages: read
1356+
statuses: read
1357+
checks: write
12881358
steps:
12891359
- uses: actions/checkout@v3
12901360
with:
@@ -1482,6 +1552,13 @@ jobs:
14821552
ARGO_NAMESPACE: ${{ needs.setup.outputs.argo-namespace }}
14831553
SPLUNK_VERSION_BASE: ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}
14841554
TEST_TYPE: "scripted_inputs"
1555+
permissions:
1556+
actions: read
1557+
deployments: read
1558+
contents: read
1559+
packages: read
1560+
statuses: read
1561+
checks: write
14851562
steps:
14861563
- uses: actions/checkout@v3
14871564
with:
@@ -1676,6 +1753,13 @@ jobs:
16761753
ARGO_NAMESPACE: ${{ needs.setup.outputs.argo-namespace }}
16771754
SPLUNK_VERSION_BASE: ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}
16781755
TEST_TYPE: "scripted_inputs"
1756+
permissions:
1757+
actions: read
1758+
deployments: read
1759+
contents: read
1760+
packages: read
1761+
statuses: read
1762+
checks: write
16791763
steps:
16801764
- uses: actions/checkout@v3
16811765
with:
@@ -1868,6 +1952,13 @@ jobs:
18681952
ARGO_NAMESPACE: ${{ needs.setup.outputs.argo-namespace }}
18691953
SPLUNK_VERSION_BASE: ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}
18701954
TEST_TYPE: "escu"
1955+
permissions:
1956+
actions: read
1957+
deployments: read
1958+
contents: read
1959+
packages: read
1960+
statuses: read
1961+
checks: write
18711962
steps:
18721963
- uses: actions/checkout@v3
18731964
with:
@@ -2054,13 +2145,18 @@ jobs:
20542145
- setup-workflow
20552146
if: ${{ needs.setup-workflow.outputs.skip-workflow != 'Yes' && github.event_name == 'pull_request' }}
20562147
runs-on: ubuntu-latest
2148+
permissions:
2149+
contents: read
2150+
packages: read
2151+
pull-requests: read
2152+
statuses: write
20572153
steps:
20582154
- uses: amannn/[email protected]
20592155
with:
20602156
wip: true
20612157
validateSingleCommit: true
20622158
env:
2063-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
2159+
GITHUB_TOKEN: ${{ github.token }}
20642160

20652161
pre-publish:
20662162
if: always()
@@ -2107,6 +2203,11 @@ jobs:
21072203
- pre-publish
21082204
- run-escu-tests
21092205
runs-on: ubuntu-latest
2206+
permissions:
2207+
contents: write
2208+
packages: read
2209+
pull-requests: read
2210+
statuses: write
21102211
steps:
21112212
- name: Checkout
21122213
uses: actions/checkout@v3
@@ -2118,6 +2219,11 @@ jobs:
21182219
uses: splunk/[email protected]
21192220
env:
21202221
GITHUB_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }}
2222+
with:
2223+
git_committer_name: ${{ secrets.SA_GH_USER_NAME }}
2224+
git_committer_email: ${{ secrets.SA_GH_USER_EMAIL }}
2225+
gpg_private_key: ${{ secrets.SA_GPG_PRIVATE_KEY }}
2226+
passphrase: ${{ secrets.SA_GPG_PASSPHRASE }}
21212227
- name: Download package-deployment
21222228
if: ${{ steps.semantic.outputs.new_release_published == 'true' }}
21232229
uses: actions/download-artifact@v3
@@ -2164,7 +2270,7 @@ jobs:
21642270
if: ${{ steps.semantic.outputs.new_release_published == 'true' }}
21652271
uses: svenstaro/upload-release-action@v2
21662272
with:
2167-
repo_token: ${{ secrets.GH_TOKEN_ADMIN }}
2273+
repo_token: ${{ github.token }}
21682274
file: ${{ steps.download-package-splunkbase.outputs.download-path }}/*
21692275
overwrite: true
21702276
file_glob: true
@@ -2178,6 +2284,6 @@ jobs:
21782284
- name: Send logs to Skynet
21792285
uses: splunk/collect-ta-logs@main
21802286
with:
2181-
git_token: ${{secrets.GH_TOKEN}}
2287+
git_token: ${{ github.token }}
21822288
skynet-token: ${{ secrets.SKYNET_TOKEN }}
21832289
skynet-url: "https://http-inputs-services-ingest.splunkcloud.com/services/collector/event"

README.md

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,20 +15,32 @@ on:
1515
pull_request:
1616
branches:
1717
- "**"
18-
18+
# explicitly configure permissions, in case your GITHUB_TOKEN workflow permissions are set to read-only in repository settings
19+
permissions:
20+
actions: read
21+
checks: write
22+
contents: write
23+
deployments: read
24+
packages: write
25+
pull-requests: read
26+
statuses: write
1927
jobs:
2028
call-workflow:
2129
uses: splunk/addonfactory-workflow-addon-release/.github/workflows/[email protected]
2230
secrets:
2331
GH_TOKEN_ADMIN: ${{ secrets.GH_TOKEN_ADMIN }}
24-
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
25-
SEMGREP_PUBLISH_TOKEN: ${{ secrets.SEMGREP_PUBLISH_TOKEN }}
32+
SEMGREP_PUBLISH_TOKEN: ${{ secrets.SEMGREP_KEY }}
2633
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
2734
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
2835
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
2936
VT_API_KEY: ${{ secrets.VT_API_KEY }}
3037
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
3138
OTHER_TA_REQUIRED_CONFIGS: ${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}
39+
FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }}
40+
SA_GH_USER_NAME: ${{ secrets.SA_GH_USER_NAME }}
41+
SA_GH_USER_EMAIL: ${{ secrets.SA_GH_USER_EMAIL }}
42+
SA_GPG_PRIVATE_KEY: ${{ secrets.SA_GPG_PRIVATE_KEY }}
43+
SA_GPG_PASSPHRASE: ${{ secrets.SA_GPG_PASSPHRASE }}
3244
```
3345
3446
***

0 commit comments

Comments
 (0)