Minimize the scope of secrets and permissions in GitHub Actions

In this post, I introduce two practices to improve GitHub Actions security and a CLI for them.

Practices:

1. Only minimum permissions should be set per job. The default permissions should not be used, and permissions othar than {} should not be set to workflow
2. secrets should be set per step and should not be set to job and workflow

These practices are primary and not unique, but many workflows don't conform to them.

Almost workflows depend on tools such as reusable workflows, actions, and CLIs, so they always have risks that malicious codes are executed via tampered dependent tools.
So it is essential to minimize the damage by restricting GITHUB_TOKEN's permissions and the scope of secrets, even if malicious codes are executed .

GITHUB_TOKEN has too strong permissions by default, so you should set minimum permissions explicitly.
permissions all jobs require should not be set to workflows because unnecessary permissions are given to jobs.
read-all and write-all permissions should not be used because they are too strong.

You can use the following syntax to disable permissions for all of the available scopes:

permissions: {}

secrets should not be set to workflows or jobs' env because steps that don't need those secrets can also access them.

ghalint - Check if workflows conform to practices

I've developed a CLI to check if workflows conform to above practices.

https://github.com/suzuki-shunsuke/ghalint

About the usage, please see the document.