CI: Resolve OSSF GitHub token permissions security alerts

[qwerty541]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
github-readme-stats	✅ Ready (Inspect)	Visit Preview	Jun 28, 2023 5:53pm

[rickstaa]

@anuraghazra, would it be possible to restrict the `GITHUB_TOKEN permissions so we can merge this pull request?

[qwerty541]

@rickstaa This alerts can be dismissed with "Used only in tests" reason. We cannot resolve them because this permissions required for workflows running. I think that if you approve it we can merge it now.

[anuraghazra]

Not sure whats this about, but approved.

[rickstaa]

@rickstaa This alerts can be dismissed with "Used only in tests" reason. We cannot resolve them because this permissions required for workflows running. I think that if you approve it we can merge it now.

Thanks for the explanation, makes sense!

[codecov]

Codecov Report

Patch and project coverage have no change.

Comparison is base (ee978f3) 97.61% compared to head (8dc86cb) 97.61%.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #2891   +/-   ##
=======================================
  Coverage   97.61%   97.61%           
=======================================
  Files          24       24           
  Lines        5156     5156           
  Branches      460      460           
=======================================
  Hits         5033     5033           
  Misses        122      122           
  Partials        1        1           

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[rickstaa]

@qwerty541 looks like your changes broke the prs-cache-clean.yml action (see https://github.com/anuraghazra/github-readme-stats/actions/runs/5435282842/workflow) 🤔. Very strange since read should be valid for the id-token permission (see https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs). Maybe the indentation is incorrect?

[rickstaa]

It looks like the vscode-github-action plugin also flags this as a syntax error:

As the error goes away when I change to write or None maybe this permission can only take these two values and the documentation is incorrect 🤔?

References

• https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
• Document id-token permission github/docs#14626

[rickstaa]

It looks like all actions with id-token are affected. I opened an issue with github to fix this (see github/docs#26481), but in the meantime, I think we can use none instead of read. I created https://github.com/anuraghazra/github-readme-stats/pull/2903/files to fix this.

[rickstaa]

@qwerty541 as far as I could understand it, we can also solve this by removing the id-token key since all undefined permissions are automatically set to none. I created #2904 for an implicit solution.