Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set token permissions for workflows #115

Merged
merged 2 commits into from
Nov 28, 2023
Merged

Conversation

joycebrum
Copy link
Contributor

Hi, as mentioned through email, this PR solves the Token-Permissions check.

The security reason of specifying the permissions for the workflows is that GitHub, for default, grant write-all permission, which could be exploited in case of the workflow got compromised.

Thus, it is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.

Workflow run with minimal permission:

@joycebrum joycebrum changed the title Set Token permissions for workflows Set token permissions for workflows Nov 27, 2023
@sffc sffc merged commit 1a01702 into google:master Nov 28, 2023
19 checks passed
@joycebrum joycebrum deleted the token-permissions branch November 28, 2023 14:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants