You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, I work on behalf of Google and the OpenSSF to help open source projects to increase their supply chain security by using OpenSSF Scorecard as a guide.
I would like to suggest a PR to set up top level permissions to the github workflows in order to grant any write permissions only on the run level.
This is needed because, by default, github grants write-all permission to all workflows, which could be exploit by an attacker in case of a compromised workflow. Limiting permissions is a simple and effective way to also limit the impact of an eventual compromised workflow.
Thus, it is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.
Let me know if the PR is welcome and feel free to reach me out in case of any doubts or concerns.
The text was updated successfully, but these errors were encountered:
Hi! This issue has been idle for quite some time. Do you plan on considering these changes? If so just let me know and I'll be happy to submit a PR. Otherwise I will wait up to 2 more months to close the issue. Let me know if you rather keep it open as "not planned" for later.
Thanks!
Hi, I work on behalf of Google and the OpenSSF to help open source projects to increase their supply chain security by using OpenSSF Scorecard as a guide.
I would like to suggest a PR to set up top level permissions to the github workflows in order to grant any write permissions only on the run level.
This is needed because, by default, github grants write-all permission to all workflows, which could be exploit by an attacker in case of a compromised workflow. Limiting permissions is a simple and effective way to also limit the impact of an eventual compromised workflow.
Thus, it is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.
Let me know if the PR is welcome and feel free to reach me out in case of any doubts or concerns.
The text was updated successfully, but these errors were encountered: