Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set permissions for Github Workflows #265

Open
joycebrum opened this issue Feb 27, 2023 · 1 comment
Open

Set permissions for Github Workflows #265

joycebrum opened this issue Feb 27, 2023 · 1 comment

Comments

@joycebrum
Copy link

Hi, I work on behalf of Google and the OpenSSF to help open source projects to increase their supply chain security by using OpenSSF Scorecard as a guide.

I would like to suggest a PR to set up top level permissions to the github workflows in order to grant any write permissions only on the run level.

This is needed because, by default, github grants write-all permission to all workflows, which could be exploit by an attacker in case of a compromised workflow. Limiting permissions is a simple and effective way to also limit the impact of an eventual compromised workflow.

Thus, it is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.

Let me know if the PR is welcome and feel free to reach me out in case of any doubts or concerns.

@joycebrum
Copy link
Author

Hi! This issue has been idle for quite some time. Do you plan on considering these changes? If so just let me know and I'll be happy to submit a PR. Otherwise I will wait up to 2 more months to close the issue. Let me know if you rather keep it open as "not planned" for later.
Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant