mirror of https://github.com/google/oss-fuzz.git
Show minimal permission needed for CIFuzz workflow (#10283)
I'm suggesting this change in the CIFuzz example workflow to indicate the minimal permission needed for the workflow to run and also to follow the OpenSSF Scorecard Token Permission Check recommendations. I've tested with https://github.com/joycebrum/sigstore/actions/runs/4918728701 and the action ran with success with no permission granted. the actions/upload-artifact skipped does not need permission to upload artifacts as can be seen at https://github.com/joycebrum/sigstore/actions/runs/4928734763 --------- Signed-off-by: Joyce <joycebrum@google.com> Signed-off-by: jonathanmetzman <31354670+jonathanmetzman@users.noreply.github.com> Co-authored-by: jonathanmetzman <31354670+jonathanmetzman@users.noreply.github.com>
This commit is contained in:
Joyce
GitHub
parent
a542551e36
commit
3cbb8c9d6e
|
|
@ -69,9 +69,12 @@ cifuzz.yml for an example project:
|
|||
```yaml
|
||||
name: CIFuzz
|
||||
on: [pull_request]
|
||||
permissions: {}
|
||||
jobs:
|
||||
Fuzzing:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
security-events: write
|
||||
steps:
|
||||
- name: Build Fuzzers
|
||||
id: build
|
||||
|
|
@ -138,9 +141,13 @@ can be used. To use a sanitizer add it to the list of sanitizers in the matrix f
|
|||
{% raw %}
|
||||
name: CIFuzz
|
||||
on: [pull_request]
|
||||
permissions: {}
|
||||
jobs:
|
||||
Fuzzing:
|
||||
runs-on: ubuntu-latest
|
||||
# Uncomment this to get results in the GitHub security dashboard.
|
||||
permissions:
|
||||
security-events: write
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
|
|
@ -199,6 +206,7 @@ on:
|
|||
- '**.cpp'
|
||||
- '**.cxx'
|
||||
- '**.h'
|
||||
permissions: {}
|
||||
jobs:
|
||||
Fuzzing:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
name: CIFuzz
|
||||
on: [pull_request]
|
||||
permissions: {}
|
||||
jobs:
|
||||
Fuzzing:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
security-events: write
|
||||
steps:
|
||||
- name: Build Fuzzers
|
||||
id: build
|
||||
|
|
@ -19,4 +22,12 @@ jobs:
|
|||
if: failure() && steps.build.outcome == 'success'
|
||||
with:
|
||||
name: artifacts
|
||||
path: ./out/artifacts
|
||||
path: ./out/artifacts
|
||||
# Uncomment this to get results in the GitHub security dashboard.
|
||||
# - name: Upload Sarif
|
||||
# if: always() && steps.build.outcome == 'success'
|
||||
# uses: github/codeql-action/upload-sarif@v2
|
||||
# with:
|
||||
# # Path to SARIF file relative to the root of the repository
|
||||
# sarif_file: cifuzz-sarif/results.sarif
|
||||
# checkout_path: cifuzz-sarif
|
||||
|
|
|
|||
Loading…
Reference in New Issue