You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
By default, GitHub workflows run with write-all permissions. This is dangerous, since it opens the project up to supply-chain attacks. GitHub itself recommends ensuring all workflows run with minimal permissions.
I've taken a look at logr's workflows, and most only need read-only access. As such, I'd like to help the project patch up this vulnerability.
This issue can be solved in two ways:
add top-level read-only permissions to all workflows, and then give additional job-level permissions as necessary; and/or
set the default token permissions to read-only in the repo settings.
I'll be sending a PR along with this issue that sets the top-level permissions as well as the additional permissions required for assign.yml.
If you instead (or also) wish to modify the default token permissions:
Under "Workflow permissions", set them to "Read repository contents and packages permissions"
If you only wish to modify the default token permissions, know that you'll need to modify assign.yaml, since it requires some additional permissions.
Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.
The text was updated successfully, but these errors were encountered:
By default, GitHub workflows run with write-all permissions. This is dangerous, since it opens the project up to supply-chain attacks. GitHub itself recommends ensuring all workflows run with minimal permissions.
I've taken a look at logr's workflows, and most only need read-only access. As such, I'd like to help the project patch up this vulnerability.
This issue can be solved in two ways:
I'll be sending a PR along with this issue that sets the top-level permissions as well as the additional permissions required for assign.yml.
If you instead (or also) wish to modify the default token permissions:
If you only wish to modify the default token permissions, know that you'll need to modify assign.yaml, since it requires some additional permissions.
Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.
The text was updated successfully, but these errors were encountered: