Set least privilege permissions for GitHub Workflow tokens #29
Comments
|
Hey, thank you for opening this issue! 🙂 To boost priority on this issue and support open source please tip the team at https://issuehunt.io/r/goatandsheep/rc/issues/29 |
|
Hi @gabibguti sure I'm open to it |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Proposal
Hello, I'm working on behalf of Google and the Open Source Security Foundation to help open-source projects improve their supply-chain security.
I see we are not setting minimum permissions for the GitHub Workflows in this project. And how does that matter? Setting minimum permission is interesting to prevent attackers from using a compromised GITHUB_TOKEN with write access to push malicious code into the project. And how do we do that? By setting permissions on each workflow to read only, or the least access they need.
This is considered a security best practice and therefore helps improve the project's security posture.
Would you be interested in a PR to do this?
Additional Context
Setting least privilege permissions is recommended by:
Let me know if you have any questions!
The text was updated successfully, but these errors were encountered: