-
Notifications
You must be signed in to change notification settings - Fork 61.6k
Add Dependabot permissions warnings #37733
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Add Dependabot permissions warnings #37733
Conversation
How to review these changes 👓Thank you for your contribution. To review these changes, choose one of the following options: A Hubber will need to deploy your changes internally to review. Table of review linksThe table shows the files in the
Key: fpt: Free, Pro, Team; ghec: GitHub Enterprise Cloud; ghes: GitHub Enterprise Server 🤖 This comment is automatically generated. |
Please let me know if I am misunderstanding the security risk here, or if you would like the warnings to be changed. |
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
@Marcono1234 Thanks for opening these! I'll get this triaged and look for an SME to review the specifics. We appreciate the time you're investing to improve the documentation. 💛 |
Thanks for opening a pull request! We've triaged this issue for technical review by a subject matter expert 👀 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sincere apologies to you for this inconvenience please bare with us as we wonton fixing this issue
Why:
Dependabot intentionally has no built-in automerge feature (dependabot/dependabot-core#1973 (comment)), and in the past permissions for Dependabot workflows were changed to read-only by default (changelog entry).
If I understand it correctly, the concern is that a Dependabot workflow with write permissions could be exploited by a compromised dependency to immediately compromise the consuming repository as soon as the Dependabot PR is created, without any interaction of the owner.
Therefore adding a custom automerge workflow for Dependabot or giving its workflows write permissions can be a security risk, and is probably worth pointing out in the documentation.
Slightly related to #37657, but does not resolve it
What's being changed (if available, include any code snippets, screenshots, or gifs):
Add warnings to the documentation to inform users about the risk of giving Dependabot workflows more permissions
Check off the following: