Remove secrets: inherit from changelog-preview workflow#1355
Open
semgrep-code-getsentry[bot] wants to merge 1 commit into
Open
Remove secrets: inherit from changelog-preview workflow#1355semgrep-code-getsentry[bot] wants to merge 1 commit into
semgrep-code-getsentry[bot] wants to merge 1 commit into
Conversation
Remove `secrets: inherit` from the changelog-preview workflow to follow the principle of least privilege.
## Changes
- Removed `secrets: inherit` from `.github/workflows/changelog-preview.yml`
- The reusable workflow still receives `GITHUB_TOKEN` automatically via the caller's `permissions:` block, which is all it needs to read PR data and post comments/statuses
## Why
Using `secrets: inherit` passes all repository secrets (e.g. deploy keys, publishing credentials) to the called workflow, even though the changelog-preview workflow only needs `GITHUB_TOKEN`. If the third-party reusable workflow were compromised, an attacker would gain access to every secret in the repository. Since `GITHUB_TOKEN` is automatically available to reusable workflows based on the caller's permissions, removing `secrets: inherit` eliminates unnecessary secret exposure without breaking functionality.
## Semgrep Finding Details
This workflow uses `secrets: inherit` to pass all of the calling workflow's secrets to a reusable workflow. This violates the principle of least privilege because the called workflow receives access to every secret in the repository, not just the ones it needs. If the called workflow is compromised or sourced from a third party, an attacker gains access to all repository secrets. Instead, explicitly pass only the secrets that the called workflow requires using the `secrets:` map, e.g. `secrets: { MY_SECRET: ${{ secrets.MY_SECRET }} }`.
nelson.osacky@sentry.io requested this Autofix PR for [this finding](https://semgrep.dev/orgs/sentry/findings/876469208) from the detection rule [yaml.github-actions.security.secrets-inherit.secrets-inherit](https://semgrep.dev/r/yaml.github-actions.security.secrets-inherit.secrets-inherit).
Contributor
Instructions and example for changelogPlease add an entry to Example: ## Unreleased
### Features
- inherit from changelog-preview workflow ([#1355](https://github.com/getsentry/sentry-android-gradle-plugin/pull/1355))If none of the above apply, you can opt out of this check by adding |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Remove
secrets: inheritfrom the changelog-preview workflow to follow the principle of least privilege.Changes
secrets: inheritfrom.github/workflows/changelog-preview.ymlGITHUB_TOKENautomatically via the caller'spermissions:block, which is all it needs to read PR data and post comments/statusesWhy
Using
secrets: inheritpasses all repository secrets (e.g. deploy keys, publishing credentials) to the called workflow, even though the changelog-preview workflow only needsGITHUB_TOKEN. If the third-party reusable workflow were compromised, an attacker would gain access to every secret in the repository. SinceGITHUB_TOKENis automatically available to reusable workflows based on the caller's permissions, removingsecrets: inheriteliminates unnecessary secret exposure without breaking functionality.Semgrep Finding Details
This workflow uses
secrets: inheritto pass all of the calling workflow's secrets to a reusable workflow. This violates the principle of least privilege because the called workflow receives access to every secret in the repository, not just the ones it needs. If the called workflow is compromised or sourced from a third party, an attacker gains access to all repository secrets. Instead, explicitly pass only the secrets that the called workflow requires using thesecrets:map, e.g.secrets: { MY_SECRET: ${{ secrets.MY_SECRET }} }.nelson.osacky@sentry.io requested this Autofix PR for this finding from the detection rule yaml.github-actions.security.secrets-inherit.secrets-inherit.