mirror
/
PHPMailer
mirror of https://github.com/PHPMailer/PHPMailer.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

GH Actions: set permissions for each workflow/job 

> Users frequently over-scope their workflow and job permissions, or set broad workflow-level permissions without realizing that all jobs inherit those permissions.
>
> Furthermore, users often don't realize that the _default_ `GITHUB_TOKEN` permissions can be very broad, meaning that workflows that don't configure any permissions at all can _still_ provide excessive credentials to their individual jobs.
>
> **Remediation**
> In general, permissions should be declared as minimally as possible, and as close to their usage site as possible.
>
> In practice, this means that workflows should almost always set `permissions: {}` at the workflow level to disable all permissions by default, and then set specific job-level permissions as needed.

This was already addressed for the other two workflows, just not for the `tests` one.

As far as I can see, the jobs here do not need the `GITHUB_TOKEN` secret and even if they do, only for `content: read`, which for public repos does not need to be set explicitly, though it doesn't do any harm to have that set anyway.

Refs:
* https://docs.zizmor.sh/audits/#excessive-permissions
This commit is contained in:
jrfnl 2025-09-20 05:08:24 +02:00
parent 041c556075
commit c8fdd4178e
No known key found for this signature in database
GPG Key ID: 88BCD0973A23BCC6
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
.github/workflows/tests.yml vendored
View File

@ -6,8 +6,7 @@ on:
# Allow manually triggering the workflow.
workflow_dispatch:
permissions:
contents: read # to fetch code (actions/checkout)
permissions: {}
jobs:
@ -15,6 +14,9 @@ jobs:
runs-on: ubuntu-22.04
name: Coding standards
permissions:
contents: read # to fetch code (actions/checkout)
steps:
- name: Check out code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@ -57,6 +59,9 @@ jobs:
name: "Lint: PHP ${{ matrix.php }}"
continue-on-error: ${{ matrix.experimental }}
permissions:
contents: read # to fetch code (actions/checkout)
steps:
- name: Checkout code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@ -129,6 +134,9 @@ jobs:
continue-on-error: ${{ matrix.experimental }}
permissions:
contents: read # to fetch code (actions/checkout)
steps:
- name: Check out code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0