Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

fix: further restrict token permissions on helm action steps (#4129)

* fix: further restrict token permissions on helm action steps

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* pin cosign to a specific hash

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

---------

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Gergely Brautigam 1 year ago
parent
dc7c2ab443
commit
f61580e0dd
1 changed files with 9 additions and 4 deletions
Unified View Show Diff Stats
  1. 9 4
      .github/workflows/helm.yml

+ 9 - 4
.github/workflows/helm.yml
View File 

@@ -69,8 +69,7 @@ jobs:
 
 
 
   release:
 
   release:
 
     permissions:
 
     permissions:
 
-      contents: write  # for helm/chart-releaser-action to push chart release and create a release
 
-      packages: write  # to push OCI chart package to GitHub Registry
 
+      contents: read
 
     runs-on: ubuntu-latest
 
     runs-on: ubuntu-latest
 
     if: |
 
     if: |
 
       github.ref == 'refs/heads/main' ||
 
       github.ref == 'refs/heads/main' ||
 
@@ -97,6 +96,9 @@ jobs:
 
           echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --dearmor --output keyring.gpg
 
           echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --dearmor --output keyring.gpg
 
           echo -n "${{ secrets.GPG_PASSPHRASE }}" > passphrase-file.txt
 
           echo -n "${{ secrets.GPG_PASSPHRASE }}" > passphrase-file.txt
 
       - name: Run chart-releaser
 
       - name: Run chart-releaser
 
+        permissions:
 
+          contents: write  # for helm/chart-releaser-action to push chart release and create a release
 
+          packages: write  # to push OCI chart package to GitHub Registry
 
         uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
 
         uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
 
         env:
 
         env:
 
           CR_KEY: external-secrets <external-secrets@external-secrets.io>
 
           CR_KEY: external-secrets <external-secrets@external-secrets.io>
 
@@ -123,7 +125,7 @@ jobs:
 
           password: ${{ secrets.GITHUB_TOKEN }}
 
           password: ${{ secrets.GITHUB_TOKEN }}
 
 
 
       - name: Install cosign
 
       - name: Install cosign
 
-        uses: sigstore/cosign-installer@v3.7.0
 
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
 
         with:
 
         with:
 
           cosign-release: 'v2.4.1'
 
           cosign-release: 'v2.4.1'
 
 
 
@@ -158,7 +160,10 @@ jobs:
 
           done
 
           done
 
 
 
       - name: Generate provenance attestation and push to OCI registry
 
       - name: Generate provenance attestation and push to OCI registry
 
-        uses: actions/attest-build-provenance@v1.4.4
 
+        permissions:
 
+          attestation: write
 
+          packages: write
 
+        uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
 
         with:
 
         with:
 
           push-to-registry: true
 
           push-to-registry: true
 
           subject-name: ${{ steps.push_chart.outputs.registry }}/${{ steps.push_chart.outputs.chart_name }}
 
           subject-name: ${{ steps.push_chart.outputs.registry }}/${{ steps.push_chart.outputs.chart_name }}