Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add details on authentication / permissions used

See original GitHub issue

See https://github.com/actions/upload-artifact/issues/197. I have an analogous question: I can create cache entries but I’ve (tried to) set the GitHub Token to read-only permissions. So, I’m puzzled as to why my jobs even succeed at writing to the cache. Is the cache action using an undocumented mechanism for authentication as https://github.com/actions/upload-artifact/issues/197 claims upload-artifact is? How can we control which jobs are allowed to read from and especially write to the cache?

Issue Analytics

State:
Created 2 years ago
Comments:12 (3 by maintainers)

Top GitHub Comments

1reaction

dhadkacommented, May 12, 2021

I pinged our security team to also get 👀 on this.

1reaction

dhadkacommented, May 12, 2021

@briansmith Great question.

Is the cache action using an undocumented mechanism for authentication as actions/upload-artifact#197 claims upload-artifact is?

Yes, it’s using the same mechanism as the artifact actions (see here).

I can create cache entries but I’ve (tried to) set the GitHub Token to read-only permissions. So, I’m puzzled as to why my jobs even succeed at writing to the cache

I’m not an expert in all of the details, but from what I understand, GITHUB_TOKEN is essentially used to authenticate with the GitHub API. So you can restrict Actions to have read-only permissions to your repos, issues, or other GitHub resources / products. But in this case, Artifacts and Cache are part of Actions, so those permissions don’t apply.

There isn’t a way to control which jobs are allowed to read/write to the cache, except by controlling where the cache is used in the workflow. This also means its important to be aware of when / how your workflows are run. Two good resources on this topic are:

The cache has an additional safeguard called “scopes”. You can think of the scope as the git ref, such as a branch, tag, PR merge, etc. We then grant “read+write” or “read-only” permissions to each scope. For example, a workflow triggered on a branch will have “read+write” permissions to that branch scope and “read-only” permission to the default branch (e.g., main). This prevents a malicious user from being able to inject cache content on one branch that is subsequently used by a different, more critical branch (e.g., a release branch) without first merging those changes. For reference, the official docs for this are:

https://docs.github.com/en/actions/guides/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache.

Anyway, that’s about my breadth of knowledge on this topic. I’m happy to put you in touch with someone on the Actions security team if you have any additional security concerns.

Top Results From Across the Web

Add details on authentication / permissions used during upload

With GitHub per-job tokens moving to fine-grained permissions I was wondering how this action authenticates in order to upload artifacts.

Permissions, Privileges, and Scopes - Auth0

What is the difference between permissions, privileges, and scopes in the authorization context? Let's find out together.

Configuring user access control and permissions

Depending on the browser used, some users accessing Windows Admin Center with Azure AD authentication configured will receive an additional ...

Using the Django authentication system

Django also provides views and forms that may be used to allow users to change ... If you are adding permissions and checking...

Permissions on Android - Android Developers

... App permissions best practices · Permissions used only in default handlers ... Overview · Add sign-in workflow · Show a biometric authentication...