Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reducing security risk in our GitHub workflows #125

Open
afshin opened this issue Apr 22, 2021 · 4 comments
Open

Reducing security risk in our GitHub workflows #125

afshin opened this issue Apr 22, 2021 · 4 comments

Comments

@afshin
Copy link
Member

afshin commented Apr 22, 2021

We have switched the default behavior for this org to "Workflows have read permissions in the repository for the contents scope only" to utilize GitHub Actions: Control permissions for GITHUB_TOKEN . See also jupyterhub/team-compass#404

An example PR that allows fine-grained permissions is jupyterlab/jupyterlab#10136.
@afshin afshin mentioned this issue Apr 22, 2021
Merged
@jtpio jtpio mentioned this issue Apr 23, 2021
Merged
@krassowski krassowski mentioned this issue Jun 1, 2021
Merged
@jtpio jtpio mentioned this issue Jun 9, 2021
Merged
@krassowski
Copy link
Member

krassowski commented Oct 23, 2021
edited
Loading

As a precaution for JupyterLab Desktop, can we harden its publish action? CC @mbektas:

  • could we use conda-incubator/setup-miniconda over s-weigand/setup-conda (more eyes on the former one)
  • could we hash-pin svenstaro/upload-release-action?
  • could we hash-pin codex-team/action-nodejs-package-info?

Or maybe some of these are not needed in the first place.

@krassowski
Copy link
Member

At jupyterlab-translate, we may want to hash-pin ncipollo/release-action (again, few watchers).

@mbektas
Copy link
Member

mbektas commented Oct 25, 2021

As a precaution for JupyterLab Desktop, can we harden its publish action? CC @mbektas:

  • could we use conda-incubator/setup-miniconda over s-weigand/setup-conda (more eyes on the former one)
  • could we hash-pin svenstaro/upload-release-action?
  • could we hash-pin codex-team/action-nodejs-package-info?

Or maybe some of these are not needed in the first place.

I think these changes make sense for precaution.

@goanpeca
Copy link
Member

@conda-incubator/setup-miniconda maintainer creator here 😶 ... no pressure 😆

fcollonval added a commit to jupyterlab/jupyterlab-translate that referenced this issue Oct 27, 2021
@fcollonval
Hash pin ncipollo/release-action
6dd987a 
Follow-up of jupyterlab/frontends-team-compass#125 (comment)
@fcollonval fcollonval mentioned this issue Oct 27, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@afshin @goanpeca @krassowski @mbektas