Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Permissions to Workflows and Pin Unpinned Tags for Non-Immutable Actions #262

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add Permissions to Workflows and Pin Unpinned Tags for Non-Immutable Actions #262

wants to merge 4 commits into from

Conversation

Yuyuutsu
Copy link
Contributor

@Yuyuutsu Yuyuutsu commented Jan 22, 2025
edited
Loading

What is the context of this PR?

Code Scanning has been enabled in some of our Github Repositories is highlighting issues.
This PR resolves these issues:

  • Workflow does not contain permissions
  • Unpinned tag for a non-immutable Action in workflow

Full server-side request forgery ERROR has not been resolved as the error seems like a false possitive. The solution given by Github would not work for Validator. We can flag this error as a Won't Fix orFalse Positive OR we can look into resolving this error if we think this is an actual error.

Leave a comment on this PR to decide what we want to do with this error.

How to review

Check changes resolve CodeQL Scanning Errors

Checklist

  • eq-translations updated to support any new schema keys which need translation

@Yuyuutsu Yuyuutsu requested a review from a team as a code owner January 22, 2025 09:25
@Yuyuutsu Yuyuutsu changed the title Fix CodeQL errors Add Permissions and Pin Unpinned Tags for Non-Immutable Actions Jan 30, 2025
@Yuyuutsu Yuyuutsu changed the title Add Permissions and Pin Unpinned Tags for Non-Immutable Actions Add Permissions to Workflows and Pin Unpinned Tags for Non-Immutable Actions Jan 30, 2025
berroar
berroar requested changes Feb 3, 2025
View reviewed changes
Copy link
Contributor

@berroar berroar left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Had a more in depth look at the issue flagged for: Full server-side request forgery, and I do think we should be handling this.

I know we spoke about it at tech session previously, but I didn't realise that it only applies to the validate_schema_from_url method/endpoint. So I think we should add some logic to ensure that any schema being validated either comes from an ONSDigital repo or a Github gist? I'm not sure there are any other use cases for this that would mean that we need to add any other domains, but would resolve this for the time being.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@berroar berroar berroar requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Yuyuutsu @berroar