This is an automated email from the ASF dual-hosted git repository.
pkarwasz pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/logging-parent.git
The following commit(s) were added to refs/heads/main by this push:
new 2d81308 feat: Restrict permissions in reusable workflows (#421)
2d81308 is described below
commit 2d8130878fd77c3b145f0cba855f1790e3d37d18
Author: Piotr P. Karwasz <[email protected]>
AuthorDate: Mon Jun 30 13:09:46 2025 +0200
feat: Restrict permissions in reusable workflows (#421)
### feat: Restrict permissions in reusable workflows
This update limits the `GITHUB_TOKEN` permissions granted to reusable
workflows, ensuring they operate with only the permissions strictly necessary
for their function.
Although GitHub ensures that reusable workflows cannot exceed the
permissions granted by the calling workflow, [GitHub
documentation](https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions)
recommends that they explicitly declare the minimal permissions they require.
This practice helps prevent misuse in scenarios where a caller might
over-provision permissions.
#### 🔐 Updated Permissions by Workflow:
- **`contents: write`**
Required only by:
- `deploy-release-reusable`
- `deploy-site-reusable`
These workflows need write access to push changes to Git branches.
For all other workflows, we now explicitly set `contents: none`.
- **`security-events: write`**
Required only by:
- `codeql-analysis-reusable`
- `scorecards-analysis-reusable`
These workflows need this permission to upload security scanning results.
By scoping permissions tightly, we improve our workflows’ security posture
without impacting functionality.
* Remove `profile: ~`
### fix: Clarify workflow-level `permissions` setting
Add a comment explaining that setting `permissions` at the workflow level
defines the **default** permissions for all jobs.
To enforce the principle of least privilege, the default is set to `{}` (no
permissions), requiring each job to explicitly declare only what it needs.
Co-authored-by: Volkan Yazıcı <[email protected]>
---
.github/workflows/build-reusable.yaml | 4 ++++
.github/workflows/build.yaml | 4 +++-
.github/workflows/codeql-analysis-reusable.yaml | 7 +++++++
.github/workflows/codeql-analysis.yaml | 6 +++---
.github/workflows/deploy-release-reusable.yaml | 8 ++++++++
.github/workflows/deploy-site-reusable.yaml | 8 +++++++-
.github/workflows/deploy-site.yaml | 5 +++--
.github/workflows/deploy-snapshot-reusable.yaml | 4 ++++
.github/workflows/scorecards-analysis-reusable.yaml | 8 +++++++-
.github/workflows/verify-reproducibility-reusable.yaml | 4 ++++
src/changelog/.12.x.x/limit-permissions.xml | 9 +++++++++
src/site/antora/modules/ROOT/examples/build.yaml | 4 +++-
src/site/antora/modules/ROOT/examples/deploy-site.yaml | 5 +++--
13 files changed, 65 insertions(+), 11 deletions(-)
diff --git a/.github/workflows/build-reusable.yaml
b/.github/workflows/build-reusable.yaml
index 89c72d3..1948477 100644
--- a/.github/workflows/build-reusable.yaml
+++ b/.github/workflows/build-reusable.yaml
@@ -65,6 +65,10 @@ on:
env:
MAVEN_ARGS: ${{ inputs.maven-args }}
+# Explicitly drop all permissions inherited from the caller for security.
+# Reference:
https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions
+permissions: { }
+
jobs:
build:
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 124759a..7a145cb 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -38,7 +38,9 @@ concurrency:
group: ${{ github.ref_name == 'main' && github.ref || github.ref_name }}
cancel-in-progress: true
-permissions: read-all
+# Default permissions for each job.
+# Additional permissions should be assigned on a per-job basis.
+permissions: { }
jobs:
diff --git a/.github/workflows/codeql-analysis-reusable.yaml
b/.github/workflows/codeql-analysis-reusable.yaml
index 7dfd0af..4eda1cf 100644
--- a/.github/workflows/codeql-analysis-reusable.yaml
+++ b/.github/workflows/codeql-analysis-reusable.yaml
@@ -31,11 +31,18 @@ on:
default: java
type: string
+# Explicitly drop all permissions inherited from the caller for security.
+# Reference:
https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions
+permissions: { }
+
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
+ # Permissions required to publish Security Alerts
+ permissions:
+ security-events: write
steps:
diff --git a/.github/workflows/codeql-analysis.yaml
b/.github/workflows/codeql-analysis.yaml
index 1f189e8..abd6014 100644
--- a/.github/workflows/codeql-analysis.yaml
+++ b/.github/workflows/codeql-analysis.yaml
@@ -27,7 +27,9 @@ on:
schedule:
- cron: '32 12 * * 5'
-permissions: {}
+# Default permissions for each job.
+# Additional permissions should be assigned on a per-job basis.
+permissions: { }
jobs:
@@ -36,8 +38,6 @@ jobs:
runs-on: ubuntu-latest
# Permissions required to publish Security Alerts
permissions:
- actions: read
- contents: read
security-events: write
steps:
diff --git a/.github/workflows/deploy-release-reusable.yaml
b/.github/workflows/deploy-release-reusable.yaml
index 0b91397..003cc4e 100644
--- a/.github/workflows/deploy-release-reusable.yaml
+++ b/.github/workflows/deploy-release-reusable.yaml
@@ -52,12 +52,20 @@ on:
description: Subversion password for uploading the release distribution
required: true
+# Explicitly drop all permissions inherited from the caller for security.
+# Reference:
https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions
+permissions: { }
+
jobs:
deploy:
runs-on: ubuntu-latest
outputs:
project-version: ${{ steps.version.outputs.project-version }}
nexus-url: ${{ steps.nexus.outputs.nexus-url }}
+ permissions:
+ # Write permissions to allow the Maven `revision` property update,
changelog release, etc.
+ contents: write
+
steps:
- name: Checkout repository
diff --git a/.github/workflows/deploy-site-reusable.yaml
b/.github/workflows/deploy-site-reusable.yaml
index 27f4913..f6bdc04 100644
--- a/.github/workflows/deploy-site-reusable.yaml
+++ b/.github/workflows/deploy-site-reusable.yaml
@@ -45,11 +45,17 @@ on:
description: GPG secret key for signing commits
required: true
+# Explicitly drop all permissions inherited from the caller for security.
+# Reference:
https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions
+permissions: { }
+
jobs:
deploy:
-
runs-on: ubuntu-latest
+ permissions:
+ # Write permissions for committing the generated site
+ contents: write
steps:
diff --git a/.github/workflows/deploy-site.yaml
b/.github/workflows/deploy-site.yaml
index 5155ce8..c7addf4 100644
--- a/.github/workflows/deploy-site.yaml
+++ b/.github/workflows/deploy-site.yaml
@@ -27,7 +27,9 @@ on:
- "**.md"
- "**.txt"
-permissions: read-all
+# Default permissions for each job.
+# Additional permissions should be assigned on a per-job basis.
+permissions: { }
jobs:
@@ -60,7 +62,6 @@ jobs:
with:
asf-yaml-content: |
publish:
- profile: ~
whoami: ${{ github.ref_name }}-out
subdir: content/logging-parent
target-branch: ${{ github.ref_name }}-out
diff --git a/.github/workflows/deploy-snapshot-reusable.yaml
b/.github/workflows/deploy-snapshot-reusable.yaml
index c1b1c3d..ba09176 100644
--- a/.github/workflows/deploy-snapshot-reusable.yaml
+++ b/.github/workflows/deploy-snapshot-reusable.yaml
@@ -36,6 +36,10 @@ on:
description: Nexus snapshot repository password for deploying artifacts
required: true
+# Explicitly drop all permissions inherited from the caller for security.
+# Reference:
https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions
+permissions: { }
+
jobs:
deploy:
runs-on: ubuntu-latest
diff --git a/.github/workflows/scorecards-analysis-reusable.yaml
b/.github/workflows/scorecards-analysis-reusable.yaml
index 127b74d..0805bbd 100644
--- a/.github/workflows/scorecards-analysis-reusable.yaml
+++ b/.github/workflows/scorecards-analysis-reusable.yaml
@@ -20,12 +20,18 @@ name: scorecards-analysis
on:
workflow_call:
+# Explicitly drop all permissions inherited from the caller for security.
+# Reference:
https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions
+permissions: { }
+
jobs:
analysis:
-
name: "Scorecards analysis"
runs-on: ubuntu-latest
+ # Permissions required to publish Security Alerts
+ permissions:
+ security-events: write
steps:
diff --git a/.github/workflows/verify-reproducibility-reusable.yaml
b/.github/workflows/verify-reproducibility-reusable.yaml
index 5bf7662..7f7f38e 100644
--- a/.github/workflows/verify-reproducibility-reusable.yaml
+++ b/.github/workflows/verify-reproducibility-reusable.yaml
@@ -39,6 +39,10 @@ env:
MAVEN_ARGS: ${{ inputs.maven-args }}
NEXUS_URL: ${{ inputs.nexus-url }}
+# Explicitly drop all permissions inherited from the caller for security.
+# Reference:
https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions
+permissions: { }
+
jobs:
build:
diff --git a/src/changelog/.12.x.x/limit-permissions.xml
b/src/changelog/.12.x.x/limit-permissions.xml
new file mode 100644
index 0000000..38798d3
--- /dev/null
+++ b/src/changelog/.12.x.x/limit-permissions.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xmlns="https://logging.apache.org/xml/ns";
+ xsi:schemaLocation="https://logging.apache.org/xml/ns
https://logging.apache.org/xml/ns/log4j-changelog-0.xsd";
+ type="changed">
+ <description format="asciidoc">
+ Restricts permissions in reusable workflows by removing unnecessary
permissions inherited from the caller.
+ </description>
+</entry>
diff --git a/src/site/antora/modules/ROOT/examples/build.yaml
b/src/site/antora/modules/ROOT/examples/build.yaml
index 24eedfd..216b006 100644
--- a/src/site/antora/modules/ROOT/examples/build.yaml
+++ b/src/site/antora/modules/ROOT/examples/build.yaml
@@ -24,7 +24,9 @@ on:
- "release/2*"
pull_request:
-permissions: read-all
+# Default permissions for each job.
+# Additional permissions should be assigned on a per-job basis.
+permissions: { }
jobs:
diff --git a/src/site/antora/modules/ROOT/examples/deploy-site.yaml
b/src/site/antora/modules/ROOT/examples/deploy-site.yaml
index 68d6e94..42b6b82 100644
--- a/src/site/antora/modules/ROOT/examples/deploy-site.yaml
+++ b/src/site/antora/modules/ROOT/examples/deploy-site.yaml
@@ -27,7 +27,9 @@ on:
- "**.md"
- "**.txt"
-permissions: read-all
+# Default permissions for each job.
+# Additional permissions should be assigned on a per-job basis.
+permissions: { }
jobs:
@@ -64,7 +66,6 @@ jobs:
with:
asf-yaml-content: |
publish:
- profile: ~
whoami: ${{ github.ref_name }}-out
subdir: content/log4j/2.x
install-required: true
