This is an automated email from the ASF dual-hosted git repository. pkarwasz pushed a commit to branch feat/permissions in repository https://gitbox.apache.org/repos/asf/logging-parent.git
commit 1d94ee520ac17757198db445e5fd4bc20daa4be1 Author: Piotr P. Karwasz <[email protected]> AuthorDate: Tue Jun 24 15:00:08 2025 +0200 feat: Restrict permissions in reusable workflows This update limits the `GITHUB_TOKEN` permissions granted to reusable workflows, ensuring they operate with only the permissions strictly necessary for their function. Although GitHub ensures that reusable workflows cannot exceed the permissions granted by the calling workflow, [GitHub documentation](https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions) recommends that they explicitly declare the minimal permissions they require. This practice helps prevent misuse in scenarios where a caller might over-provision permissions. #### 🔐 Updated Permissions by Workflow: - **`contents: write`** Required only by: - `deploy-release-reusable` - `deploy-site-reusable` These workflows need write access to push changes to Git branches. For all other workflows, we now explicitly set `contents: none`. - **`security-events: write`** Required only by: - `codeql-analysis-reusable` - `scorecards-analysis-reusable` These workflows need this permission to upload security scanning results. By scoping permissions tightly, we improve our workflows’ security posture without impacting functionality. --- .github/workflows/build-reusable.yaml | 4 ++++ .github/workflows/build.yaml | 2 +- .github/workflows/codeql-analysis-reusable.yaml | 7 +++++++ .github/workflows/codeql-analysis.yaml | 4 +--- .github/workflows/deploy-release-reusable.yaml | 8 ++++++++ .github/workflows/deploy-site-reusable.yaml | 8 +++++++- .github/workflows/deploy-site.yaml | 2 +- .github/workflows/deploy-snapshot-reusable.yaml | 4 ++++ .github/workflows/scorecards-analysis-reusable.yaml | 8 +++++++- .github/workflows/verify-reproducibility-reusable.yaml | 4 ++++ src/changelog/.12.x.x/limit-permissions.xml | 9 +++++++++ src/site/antora/modules/ROOT/examples/build.yaml | 2 +- src/site/antora/modules/ROOT/examples/deploy-site.yaml | 3 +-- 13 files changed, 55 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build-reusable.yaml b/.github/workflows/build-reusable.yaml index 89c72d3..1948477 100644 --- a/.github/workflows/build-reusable.yaml +++ b/.github/workflows/build-reusable.yaml @@ -65,6 +65,10 @@ on: env: MAVEN_ARGS: ${{ inputs.maven-args }} +# Explicitly drop all permissions inherited from the caller for security. +# Reference: https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions +permissions: { } + jobs: build: diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 124759a..b490d54 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -38,7 +38,7 @@ concurrency: group: ${{ github.ref_name == 'main' && github.ref || github.ref_name }} cancel-in-progress: true -permissions: read-all +permissions: { } jobs: diff --git a/.github/workflows/codeql-analysis-reusable.yaml b/.github/workflows/codeql-analysis-reusable.yaml index 7dfd0af..4eda1cf 100644 --- a/.github/workflows/codeql-analysis-reusable.yaml +++ b/.github/workflows/codeql-analysis-reusable.yaml @@ -31,11 +31,18 @@ on: default: java type: string +# Explicitly drop all permissions inherited from the caller for security. +# Reference: https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions +permissions: { } + jobs: analyze: name: Analyze runs-on: ubuntu-latest + # Permissions required to publish Security Alerts + permissions: + security-events: write steps: diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml index 1f189e8..1de7d4f 100644 --- a/.github/workflows/codeql-analysis.yaml +++ b/.github/workflows/codeql-analysis.yaml @@ -27,7 +27,7 @@ on: schedule: - cron: '32 12 * * 5' -permissions: {} +permissions: { } jobs: @@ -36,8 +36,6 @@ jobs: runs-on: ubuntu-latest # Permissions required to publish Security Alerts permissions: - actions: read - contents: read security-events: write steps: diff --git a/.github/workflows/deploy-release-reusable.yaml b/.github/workflows/deploy-release-reusable.yaml index 0b91397..003cc4e 100644 --- a/.github/workflows/deploy-release-reusable.yaml +++ b/.github/workflows/deploy-release-reusable.yaml @@ -52,12 +52,20 @@ on: description: Subversion password for uploading the release distribution required: true +# Explicitly drop all permissions inherited from the caller for security. +# Reference: https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions +permissions: { } + jobs: deploy: runs-on: ubuntu-latest outputs: project-version: ${{ steps.version.outputs.project-version }} nexus-url: ${{ steps.nexus.outputs.nexus-url }} + permissions: + # Write permissions to allow the Maven `revision` property update, changelog release, etc. + contents: write + steps: - name: Checkout repository diff --git a/.github/workflows/deploy-site-reusable.yaml b/.github/workflows/deploy-site-reusable.yaml index 27f4913..f6bdc04 100644 --- a/.github/workflows/deploy-site-reusable.yaml +++ b/.github/workflows/deploy-site-reusable.yaml @@ -45,11 +45,17 @@ on: description: GPG secret key for signing commits required: true +# Explicitly drop all permissions inherited from the caller for security. +# Reference: https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions +permissions: { } + jobs: deploy: - runs-on: ubuntu-latest + permissions: + # Write permissions for committing the generated site + contents: write steps: diff --git a/.github/workflows/deploy-site.yaml b/.github/workflows/deploy-site.yaml index 5155ce8..182285a 100644 --- a/.github/workflows/deploy-site.yaml +++ b/.github/workflows/deploy-site.yaml @@ -27,7 +27,7 @@ on: - "**.md" - "**.txt" -permissions: read-all +permissions: { } jobs: diff --git a/.github/workflows/deploy-snapshot-reusable.yaml b/.github/workflows/deploy-snapshot-reusable.yaml index c1b1c3d..ba09176 100644 --- a/.github/workflows/deploy-snapshot-reusable.yaml +++ b/.github/workflows/deploy-snapshot-reusable.yaml @@ -36,6 +36,10 @@ on: description: Nexus snapshot repository password for deploying artifacts required: true +# Explicitly drop all permissions inherited from the caller for security. +# Reference: https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions +permissions: { } + jobs: deploy: runs-on: ubuntu-latest diff --git a/.github/workflows/scorecards-analysis-reusable.yaml b/.github/workflows/scorecards-analysis-reusable.yaml index 127b74d..0805bbd 100644 --- a/.github/workflows/scorecards-analysis-reusable.yaml +++ b/.github/workflows/scorecards-analysis-reusable.yaml @@ -20,12 +20,18 @@ name: scorecards-analysis on: workflow_call: +# Explicitly drop all permissions inherited from the caller for security. +# Reference: https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions +permissions: { } + jobs: analysis: - name: "Scorecards analysis" runs-on: ubuntu-latest + # Permissions required to publish Security Alerts + permissions: + security-events: write steps: diff --git a/.github/workflows/verify-reproducibility-reusable.yaml b/.github/workflows/verify-reproducibility-reusable.yaml index 5bf7662..7f7f38e 100644 --- a/.github/workflows/verify-reproducibility-reusable.yaml +++ b/.github/workflows/verify-reproducibility-reusable.yaml @@ -39,6 +39,10 @@ env: MAVEN_ARGS: ${{ inputs.maven-args }} NEXUS_URL: ${{ inputs.nexus-url }} +# Explicitly drop all permissions inherited from the caller for security. +# Reference: https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions +permissions: { } + jobs: build: diff --git a/src/changelog/.12.x.x/limit-permissions.xml b/src/changelog/.12.x.x/limit-permissions.xml new file mode 100644 index 0000000..38798d3 --- /dev/null +++ b/src/changelog/.12.x.x/limit-permissions.xml @@ -0,0 +1,9 @@ +<?xml version="1.0" encoding="UTF-8"?> +<entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns="https://logging.apache.org/xml/ns"; + xsi:schemaLocation="https://logging.apache.org/xml/ns https://logging.apache.org/xml/ns/log4j-changelog-0.xsd"; + type="changed"> + <description format="asciidoc"> + Restricts permissions in reusable workflows by removing unnecessary permissions inherited from the caller. + </description> +</entry> diff --git a/src/site/antora/modules/ROOT/examples/build.yaml b/src/site/antora/modules/ROOT/examples/build.yaml index 24eedfd..208143f 100644 --- a/src/site/antora/modules/ROOT/examples/build.yaml +++ b/src/site/antora/modules/ROOT/examples/build.yaml @@ -24,7 +24,7 @@ on: - "release/2*" pull_request: -permissions: read-all +permissions: { } jobs: diff --git a/src/site/antora/modules/ROOT/examples/deploy-site.yaml b/src/site/antora/modules/ROOT/examples/deploy-site.yaml index 68d6e94..13838b7 100644 --- a/src/site/antora/modules/ROOT/examples/deploy-site.yaml +++ b/src/site/antora/modules/ROOT/examples/deploy-site.yaml @@ -27,7 +27,7 @@ on: - "**.md" - "**.txt" -permissions: read-all +permissions: { } jobs: @@ -64,7 +64,6 @@ jobs: with: asf-yaml-content: | publish: - profile: ~ whoami: ${{ github.ref_name }}-out subdir: content/log4j/2.x install-required: true
