OSSF Scorecard: Token Permissions

[trask]

One option for adding token permissions to github actions:

• Fork the repo (if you don't have write permission on the repo itself)
• Run https://app.stepsecurity.io/securerepo against your fork
• Uncheck all sections except for "Restrict permissions for GITHUB_TOKEN"
• Create PR
• Now go and create the PR against the real repo (if you don't have write permission on the repo itself):
  • e.g. open-telemetry/opentelemetry-js@main...step-security-bot:trasktest_opentelemetry-js:chore/GHA-312224-stepsecurity-remediation

This will only address the token permissions that the service can detect automatically. You will need to manually add token permissions to any remaining workflows.

[trask]

Closing, going to open a new issue related to the latest efforts