Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GitHub Workflows security hardening #370

Merged
merged 1 commit into from
May 24, 2023

Conversation

sashashura
Copy link
Contributor

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

@codecov
Copy link

codecov bot commented May 24, 2023

Codecov Report

Patch coverage has no change and project coverage change: -2.34 ⚠️

Comparison is base (ca76a47) 95.18% compared to head (86c2148) 92.85%.

Additional details and impacted files
@@            Coverage Diff             @@
##             main     #370      +/-   ##
==========================================
- Coverage   95.18%   92.85%   -2.34%     
==========================================
  Files          40       43       +3     
  Lines        1661     2042     +381     
  Branches        0      598     +598     
==========================================
+ Hits         1581     1896     +315     
- Misses         80      118      +38     
- Partials        0       28      +28     

see 43 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@alexander-akait alexander-akait merged commit 6a9e1fa into webpack:main May 24, 2023
renovate bot referenced this pull request in Unleash/unleash Jun 22, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [enhanced-resolve](https://togithub.com/webpack/enhanced-resolve) |
[`5.14.1` ->
`5.15.0`](https://renovatebot.com/diffs/npm/enhanced-resolve/5.14.1/5.15.0)
|
[![age](https://badges.renovateapi.com/packages/npm/enhanced-resolve/5.15.0/age-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://badges.renovateapi.com/packages/npm/enhanced-resolve/5.15.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://badges.renovateapi.com/packages/npm/enhanced-resolve/5.15.0/compatibility-slim/5.14.1)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://badges.renovateapi.com/packages/npm/enhanced-resolve/5.15.0/confidence-slim/5.14.1)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>webpack/enhanced-resolve</summary>

###
[`v5.15.0`](https://togithub.com/webpack/enhanced-resolve/releases/tag/v5.15.0)

[Compare
Source](https://togithub.com/webpack/enhanced-resolve/compare/v5.14.1...v5.15.0)

#### New Features

- Ignore `false`/`null`/`undefined` plugins by
[@&#8203;alexander-akait](https://togithub.com/alexander-akait) in
[https://github.com/webpack/enhanced-resolve/pull/389](https://togithub.com/webpack/enhanced-resolve/pull/389)

#### Dependencies & Maintenance

- GitHub Workflows security hardening by
[@&#8203;sashashura](https://togithub.com/sashashura) in
[https://github.com/webpack/enhanced-resolve/pull/370](https://togithub.com/webpack/enhanced-resolve/pull/370)
- Add cSpell commit hook by
[@&#8203;nschonni](https://togithub.com/nschonni) in
[https://github.com/webpack/enhanced-resolve/pull/327](https://togithub.com/webpack/enhanced-resolve/pull/327)

#### New Contributors

- [@&#8203;sashashura](https://togithub.com/sashashura) made their first
contribution in
[https://github.com/webpack/enhanced-resolve/pull/370](https://togithub.com/webpack/enhanced-resolve/pull/370)

**Full Changelog**:
webpack/enhanced-resolve@v5.14.1...v5.15.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/Unleash/unleash).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xMzEuMCIsInVwZGF0ZWRJblZlciI6IjM1LjEzMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants