GitHub, the leading platform for software development collaboration, has unveiled the latest tool called actions-permissions. This tool is specifically designed to address the need for better security and control over the repository token used in GitHub Actions workflows.
GitHub Actions, which allow users to automate various tasks and workflows within their repositories, utilize a temporary repository access token known as GITHUB_TOKEN. In the past, these tokens possessed wide-ranging permissions, granting full read and write access to the repository, with only pull requests from forks being an exception. However, GitHub implemented a more fine-grained permission model for workflow tokens in 2021. As part of this change, the default permissions for new repositories and organizations were set to read-only, providing a more secure starting point.
Despite these advancements, a significant number of workflows still rely on a write-all token due to default workflow permission settings. In many cases, write permissions are not actually necessary. To help users identify if their workflows are using overly broad default permissions, GitHub provides a simple way to check the “Workflow permissions” section in the repository or organization settings.
While switching to a read-only permission setting is considered a security best practice, doing so may inadvertently disrupt existing workflows that rely on write-all permissions. Another challenge arises when applying the principle of least privilege, as complex workflows often involve multiple actions, making it easy to overlook specific permission required for proper workflow execution. Additionally, the diverse steps and error-handling mechanisms present in workflows can make it difficult to determine the precise set of privileges needed for more intricate workflow definitions.
To assist users in transitioning to a more secure workflow permission model, GitHub has introduced a set of powerful tools called actions-permissions. These tools provide monitoring and recommendation features that simplify the process of identifying and assigning the minimum required permissions for a given workflow.
The Monitor action, one of the key components of actions-permissions, installs a local proxy within the workflow runner. It actively collects information about any interactions with the GitHub API initiated by the workflow, allowing users to review and understand the minimum permissions needed. The recommendations are conveniently presented as part of the workflow run summary, providing clear insights into the required permissions.
In addition to the Monitor action, GitHub offers the Advisor action, which functions as both a local tool and a way to summarize the recommendations from multiple workflow runs. This feature provides users with a comprehensive overview of the permissions required across various iterations of their workflows.
Once users have implemented the recommended permissions in their workflows, they can discontinue the use of these tools. If any additional permissions become necessary for future iterations, users can easily add them as required.
GitHub welcomes users to try out these tools and provide valuable feedback, contributing to the ongoing improvement of GitHub’s offerings. With actions-permissions, GitHub continues to demonstrate its commitment to providing a safe and efficient environment for developers and organizations worldwide.
