You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
By default, GitHub workflows run with write-all permissions. This is dangerous, since it opens the project up to supply-chain attacks. GitHub itself recommends ensuring all workflows run with minimal permissions.
I've taken a look at harfbuzz's workflows, and most already have top-level read-only permissions (added in #3639). However, cifuzz.yml doesn't have this top-level permissions block.
This issue can be solved in two ways:
add top-level read-only permissions to cifuzz.yml; and/or
set the default token permissions to read-only in the repo settings.
I'll be sending a PR along with this issue that sets the top-level permissions. If you instead (or also) wish to modify the default token permissions:
Under "Workflow permissions", set them to "Read repository contents and packages permissions"
Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.
The text was updated successfully, but these errors were encountered:
By default, GitHub workflows run with write-all permissions. This is dangerous, since it opens the project up to supply-chain attacks. GitHub itself recommends ensuring all workflows run with minimal permissions.
I've taken a look at harfbuzz's workflows, and most already have top-level read-only permissions (added in #3639). However, cifuzz.yml doesn't have this top-level permissions block.
This issue can be solved in two ways:
I'll be sending a PR along with this issue that sets the top-level permissions. If you instead (or also) wish to modify the default token permissions:
Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.
The text was updated successfully, but these errors were encountered: