Skip to content

Limit privilege escalation and token theft in workflows#3742

Merged
d-v-b merged 2 commits intozarr-developers:mainfrom
DimitriPapadopoulos:weak_GitHub_Actions_configuration
Mar 6, 2026
Merged

Limit privilege escalation and token theft in workflows#3742
d-v-b merged 2 commits intozarr-developers:mainfrom
DimitriPapadopoulos:weak_GitHub_Actions_configuration

Conversation

@DimitriPapadopoulos
Copy link
Contributor

@DimitriPapadopoulos DimitriPapadopoulos commented Mar 4, 2026
edited
Loading

[Security Advisory] Active Exploitation of Weak GitHub Actions Configurations

  • Added explicit permissions blocks to restrict access (mostly contents: read, id-token: write).
  • Limited event triggers to only trusted branches
  • Added workflow_dispatch where missing.

If possible at all, pull_request_target should be changed to pull_request, but I don't have the knowledge/time to do that:

zarr-python/.github/workflows/needs_release_notes.yml

Line 4 in ca53f8e

- pull_request_target

TODO:

  • Add unit tests and/or doctests in docstrings
  • Add docstrings and API docs for any new/modified user-facing classes and functions
  • New/modified features documented in docs/user-guide/*.md
  • Changes documented as a new file in changes/
  • GitHub Actions have all passed
  • Test coverage is 100% (Codecov passes)

@github-actions github-actions bot added the needs release notes Automatically applied to PRs which haven't added release notes label Mar 4, 2026
@DimitriPapadopoulos DimitriPapadopoulos force-pushed the weak_GitHub_Actions_configuration branch from 53249a8 to dd9748a Compare March 4, 2026 09:11
@DimitriPapadopoulos
Limit privilege escalation and token theft in workflows
8858279 
https://lists.openssf-vuln.org/g/siren/message/6

- Added explicit permissions blocks to restrict access (mostly contents: read, id-token: write).
- Limited event triggers to only trusted branches
- Added workflow_dispatch where missing.
@DimitriPapadopoulos DimitriPapadopoulos force-pushed the weak_GitHub_Actions_configuration branch from dd9748a to 8858279 Compare March 4, 2026 09:13
@DimitriPapadopoulos DimitriPapadopoulos marked this pull request as ready for review March 4, 2026 09:17
@d-v-b d-v-b merged commit 266f2bb into zarr-developers:main Mar 6, 2026
25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@d-v-b d-v-b d-v-b approved these changes

Assignees

No one assigned

Labels

needs release notes Automatically applied to PRs which haven't added release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DimitriPapadopoulos @d-v-b