On Thu, 1 Sep 2022 20:37:27 GMT, Alex <d...@openjdk.org> wrote: > This PR adds explicit [permissions > section](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions) > to workflows. This is a security best practice because by default workflows > run with [extended set of > permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) > (except from `on: pull_request` [from external > forks](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)). > By specifying any permission explicitly all others are set to none. By using > the principle of least privilege the damage a compromised workflow can do > (because of an > [injection](https://securitylab.github.com/research/github-actions-untrusted-input/) > or compromised third party tool or action) is restricted. > It is recommended to have [most strict permissions on the top > level](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) > and grant write permissions on [job > level](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs) > case by case.
@sashashura You need to enable running GHA workflows in your personal fork of the `jfx` repo. Given that you are changing the GHA workflow, we will need to see the results from your run in this PR. This seems worth evaluating. Given that we don't enable workflows in any of the repos of the openjdk organization, the impact of not doing this is limited (the workflow only runs in the context of the user pushing to their own branch), but as long as it doesn't preclude doing anything legitimate, it might be a good idea. I filed a new JBS issue -- [JDK-8293368](https://bugs.openjdk.org/browse/JDK-8293368) -- for this. @sashashura Please change the title of this PR to: 8293368: GitHub Workflows security hardening ------------- Changes requested by kcr (Lead). PR: https://git.openjdk.org/jfx/pull/889
