Skip to content

feat: add explicit read-only permission #1824

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
serkan-ozal merged 1 commit into from
May 24, 2025
Merged

feat: add explicit read-only permission #1824

serkan-ozal merged 1 commit into from
May 24, 2025

Conversation

@maxday
Copy link
Member

@maxday maxday commented May 21, 2025

Context:
This PR helps increasing the security score here: https://clomonitor.io/projects/cncf/open-telemetry#opentelemetry-lambda

Content of this PR
This PR fixes token permission by setting them read-only by default. See clomonitor check definition here: https://clomonitor.io/docs/topics/checks/#token-permissions-from-openssf-scorecard

This will resolve this failing check:
Screenshot 2025-05-22 at 12 35 07 AM

Full error/warning message:

Info: topLevel permissions set to 'read-all': .github/workflows/check-links.yaml:11
Warn: no topLevel permission defined: .github/workflows/ci-collector.yml:1: Visit https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-lambda/ci-collector.yml/main?enable=permissions
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)
Warn: no topLevel permission defined: .github/workflows/ci-nodejs.yml:1: Visit https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-lambda/ci-nodejs.yml/main?enable=permissions
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)
Warn: no topLevel permission defined: .github/workflows/ci-python.yml:1: Visit https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-lambda/ci-python.yml/main?enable=permissions
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)
Warn: no topLevel permission defined: .github/workflows/ci-shellcheck.yml:1: Visit https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-lambda/ci-shellcheck.yml/main?enable=permissions
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)
Warn: no topLevel permission defined: .github/workflows/ci-terraform.yml:1: Visit https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-lambda/ci-terraform.yml/main?enable=permissions
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)
Warn: no topLevel permission defined: .github/workflows/codeql.yml:1: Visit https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-lambda/codeql.yml/main?enable=permissions
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)
Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:34
Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:35
Info: topLevel 'contents' permission set to 'read': .github/workflows/fossa.yml:9
Info: topLevel 'contents' permission set to 'read': .github/workflows/layer-publish.yml:46
Info: topLevel permissions set to 'read-all': .github/workflows/ossf-scorecard.yml:11
Warn: no topLevel permission defined: .github/workflows/publish-layer-collector.yml:1: Visit https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-lambda/publish-layer-collector.yml/main?enable=permissions
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)
Warn: topLevel 'contents' permission set to 'write': .github/workflows/release-layer-collector.yml:11: Visit https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-lambda/release-layer-collector.yml/main?enable=permissions
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)
Warn: topLevel 'contents' permission set to 'write': .github/workflows/release-layer-java.yml:11: Visit https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-lambda/release-layer-java.yml/main?enable=permissions
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)
Warn: topLevel 'contents' permission set to 'write': .github/workflows/release-layer-nodejs.yml:11: Visit https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-lambda/release-layer-nodejs.yml/main?enable=permissions
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)
Warn: topLevel 'contents' permission set to 'write': .github/workflows/release-layer-python.yml:11: Visit https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-lambda/release-layer-python.yml/main?enable=permissions
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)
Warn: topLevel 'contents' permission set to 'write': .github/workflows/release-layer-ruby.yml:11: Visit https://app.stepsecurity.io/secureworkflow/open-telemetry/opentelemetry-lambda/release-layer-ruby.yml/main?enable=permissions
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)
Info: no jobLevel write permissions found

@maxday maxday requested a review from a team as a code owner May 21, 2025 23:39
@serkan-ozal serkan-ozal merged commit 2987317 into open-telemetry:main May 24, 2025
22 checks passed
@maxday maxday mentioned this pull request May 28, 2025
Merged
@maxday maxday mentioned this pull request Jun 4, 2025
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pragmaticivan pragmaticivan pragmaticivan approved these changes

@serkan-ozal serkan-ozal serkan-ozal approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@maxday @pragmaticivan @serkan-ozal