Token permission check fails on legitimate release jobs in GitHub Actions workflows

[behnazh-w]

A release job in a GitHub Actions workflow may require contents: write permission to push a release commit. Scorecard currently allows contents: write permission for "packaging" workflows, which allows pypa/gh-action-pypi-publish only for Python. In other words, Scorecard does not recognize other release Actions, such as relekang/python-semantic-release. This limitation results in false positives.

What is the best way to resolve this issue in the current version of Scorecard?

Ideally users should be able to add such GitHub Actions to an allow list in the configuration file.

[azeemshaikh38]

Thanks for reporting this. Could you point us to an example repo where this is happening?

[laurentsimon]

You're saying relekang/python-semantic-release action is not recognized as a publishing workflow. Is that correct?

[behnazh-w]

Thanks for reporting this. Could you point us to an example repo where this is happening?

Here is the repo and this is the branch where Scorecard is enabled and is reporting the contents: write permission in the release job as a violation.

You're saying relekang/python-semantic-release action is not recognized as a publishing workflow. Is that correct?

Yes, that's correct. In particular it is not considered as a trusted publishing workflow.

[laurentsimon]

@di any objection to adding this action for python projects?

[di]

My thoughts are that this should probably be user-configurable as @behnazh-w suggested. I'm not sure we want to get in the business of determining which Actions are trusted or not (aside from the assumption that ecosystem-provided Actions like pypa/gh-action-pypi-publish should be trusted).

[laurentsimon]

I don't think we have a notion of "trusted" actions today. I think it's more "actions we know of". I think it's fine to add this action to the list of action we look for, since the packaging check looks for just that. When we get to the point of having policies, we can give users more flexibility about what they want to filter our or not.

@azeemshaikh38 @naveensrinivasan thoughts?

[azeemshaikh38]

The Packaging check is simply trying to determine whether a GitHub workflow is a packaging workflow or not (see here). So IIUC, we are not too concerned with whether we "trust" the action, but rather about classifying the action. So I'm ok to add relekang/python-semantic-release.

[laurentsimon]

Looks like there is consensus we can add the new action to our list.

behnazh-w would you be interested in sending a PR?

The lines to update are in

scorecard/checks/packaging.go

Line 95 in 2b206dc

func isPackagingWorkflow(workflow *actionlint.Workflow, fp string, dl checker.DetailLogger) bool {

and you can add a unit test in https://github.com/ossf/scorecard/blob/2b206dc3654ab96b88310625c5f0a1a3902723e7/checks/packaging_test.go

If you don't have the time, nw

[behnazh-w]

Looks like there is consensus we can add the new action to our list.

behnazh-w would you be interested in sending a PR?

Sure, I'm happy to send the PR. As I have mentioned above I would prefer to control the list of such Actions via the configuration, but for now I can document that in a comment.