[release-24.05] Workflows security fix (#351461)

.github/workflows/codeowners.yml → .github/workflows/codeowners-v2.yml

@@ -1,17 +1,32 @@
-name: Codeowners
+name: Codeowners v2
 
-# This workflow depends on a GitHub App with the following permissions:
-# - Repository > Administration: read-only
-# - Organization > Members: read-only
-# - Repository > Pull Requests: read-write
-# The App needs to be installed on this repository
-# the OWNER_APP_ID repository variable needs to be set
-# the OWNER_APP_PRIVATE_KEY repository secret needs to be set
+# This workflow depends on two GitHub Apps with the following permissions:
+# - For checking code owners:
+#   - Permissions:
+#     - Repository > Administration: read-only
+#     - Organization > Members: read-only
+#   - Install App on this repository, setting these variables:
+#     - OWNER_RO_APP_ID (variable)
+#     - OWNER_RO_APP_PRIVATE_KEY (secret)
+# - For requesting code owners:
+#   - Permissions:
+#     - Repository > Administration: read-only
+#     - Organization > Members: read-only
+#     - Repository > Pull Requests: read-write
+#   - Install App on this repository, setting these variables:
+#     - OWNER_APP_ID (variable)
+#     - OWNER_APP_PRIVATE_KEY (secret)
+#
+# This split is done because checking code owners requires handling untrusted PR input,
+# while requesting code owners requires PR write access, and those shouldn't be mixed.
 
 on:
   pull_request_target:
     types: [opened, ready_for_review, synchronize, reopened, edited]
 
+# We don't need any default GitHub token
+permissions: {}
+
 env:
   OWNERS_FILE: ci/OWNERS
   # Don't do anything on draft PRs
@@ -45,8 +60,8 @@ jobs:
     - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
       id: app-token
       with:
-        app-id: ${{ vars.OWNER_APP_ID }}
-        private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
+        app-id: ${{ vars.OWNER_RO_APP_ID }}
+        private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
 
     - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       with:

.github/workflows/editorconfig.yml → .github/workflows/editorconfig-v2.yml

@@ -1,6 +1,8 @@
-name: "Checking EditorConfig"
+name: "Checking EditorConfig v2"
 
-permissions: read-all
+permissions:
+  pull-requests: read
+  contents: read
 
 on:
   # avoids approving first time contributors

.github/workflows/manual-nixos.yml → .github/workflows/manual-nixos-v2.yml

@@ -1,6 +1,7 @@
-name: "Build NixOS manual"
+name: "Build NixOS manual v2"
 
-permissions: read-all
+permissions:
+  contents: read
 
 on:
   pull_request_target:

.github/workflows/manual-nixpkgs.yml → .github/workflows/manual-nixpkgs-v2.yml

@@ -1,6 +1,7 @@
-name: "Build Nixpkgs manual"
+name: "Build Nixpkgs manual v2"
 
-permissions: read-all
+permissions:
+  contents: read
 
 on:
   pull_request_target:

.github/workflows/nix-parse.yml → .github/workflows/nix-parse-v2.yml

@@ -1,6 +1,8 @@
-name: "Check whether nix files are parseable"
+name: "Check whether nix files are parseable v2"
 
-permissions: read-all
+permissions:
+  pull-requests: read
+  contents: read
 
 on:
   # avoids approving first time contributors

ci/OWNERS

@@ -11,12 +11,12 @@
 # - There is no need for user/team listed here to have write access.
 # - No reviews will be requested for PRs that target the wrong base branch.
 #
-# Processing of this file is implemented in workflows/codeowners.yml
+# Processing of this file is implemented in workflows/codeowners-v2.yml
 
 # CI
 /.github/workflows @NixOS/Security @Mic92 @zowoq
 /.github/workflows/check-nix-format.yml @infinisil
-/.github/workflows/codeowners.yml @infinisil
+/.github/workflows/codeowners-v2.yml @infinisil
 /ci/OWNERS @infinisil
 /ci @infinisil @philiptaron @NixOS/Security