Initial commit

Author: JarLob

.gitignore

@@ -0,0 +1,3 @@
+node_modules
+.vscode
+.vs

LICENSE

@@ -0,0 +1,22 @@
+
+The MIT License (MIT)
+
+Copyright (c) 2023 GitHub, Inc. and contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -0,0 +1,15 @@
+# GitHub token permissions usage Monitor and Advisor actions (PUBLIC BETA)
+
+Applying the least privilege permissions to a GitHub Actions workflow is a best security practice, but can be challenging as it may break existing workflows.
+
+The Monitor action, when added to a workflow, tracks the usage of the temporary GitHub repository token and gives recommendations on the minimum permissions required to run the workflow based on the actual detected workflow activity. Every workflow run generates a summary report with the recommendations. Since some steps or jobs may be skipped based on various conditions, the Advisor action can aggregate and summarize the recommendations from multiple workflow runs.
+
+![Workflow run summary with permissions recommendations for every job](res/summary.png "Minimal required permissions")
+
+The typical scenario is to include the Monitor action in every job of the workflow that doesn't specify permissions explicitly, collect the recommendations from several workflow runs, apply the recommended minimal permissions, and then remove the Monitor action.
+
+## Usage
+
+[See the Monitor action](monitor)
+
+[See the Advisor action](advisor)

SECURITY.md

@@ -0,0 +1,3 @@
+# Security Policy
+
+Please send security findings to securitylab at github com.

advisor/README.md

@@ -0,0 +1,21 @@
+# GitHub token permissions Advisor action (PUBLIC BETA)
+
+## Usage
+
+The index.js script can be invoked as:
+
+* GitHub action.
+
+  See [workflow.yml](workflow.yml) for an example of how to use the Advisor action. Copy the workflow to your repository and manually dispatch the workflow from the Actions tab to generate the aggregated report from the last `n` runs.
+
+  ![Run workflow form with input fields](../res/dispatch.png "Run workflow")
+
+* Command line tool.
+
+  Download the [index.js](index.js) script and run it as:\
+
+  ```bash
+  node index.js <workflow_name.yml> <number_of_the_last_runs> <github_owner> <repo_name> <branch_name>
+  ```
+
+  An environment variable `GITHUB_TOKEN` must be set to your [PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) with `repo` scope granted for the repository you want to analyze.

advisor/action.yml

@@ -0,0 +1,20 @@
+name: 'GitHub Actions Permissions Advisor'
+description: 'An action to aggregate results from Permissions Monitor from the previous runs and advise the minimal permissions required for a GitHub Action'
+inputs:
+  token:
+    description: 'The repository token to read previous runs'
+    required: false
+    default: ${{ github.token }}
+  name:
+    description: 'The name of the workflow file to analyze'
+    required: true
+    type: string
+  count:
+    description: 'How many last runs to analyze'
+    required: false
+    type: number
+    default: 10
+
+runs:
+  using: 'node16'
+  main: 'dist/index.js'