Description
OpenSSF Scorecard reports Token-Permissions: 0/10 on nearly every public repo in the platform-mesh org. Most workflows declare contents: write and/or packages: write at the top level (workflow scope) instead of restricting them to the specific job that needs them. This violates the principle of least privilege for the GITHUB_TOKEN and is a high-impact, low-effort fix.
Fix pattern:
Affected repos
Each box represents one repo to fix. Open the per-repo Scorecard for the exact workflow files and line numbers:
https://api.securityscorecards.dev/projects/github.com/platform-mesh/<repo> → look at the Token-Permissions check details.
Objectives
- All public repos with workflows score
Token-Permissions: 9/10 or 10/10.
- Top-level
permissions: read-all becomes the default for new workflows added to platform-mesh repos (consider documenting in .github repo).
Demo Required
None
Demo Steps
No response
Epic: #278
Description
OpenSSF Scorecard reports
Token-Permissions: 0/10on nearly every public repo in the platform-mesh org. Most workflows declarecontents: writeand/orpackages: writeat the top level (workflow scope) instead of restricting them to the specific job that needs them. This violates the principle of least privilege for theGITHUB_TOKENand is a high-impact, low-effort fix.Fix pattern:
permissions: read-all(or omit and rely on default-read).permissions:blocks at the job level only for the steps that need write (image push, release commit, label apply, etc.).Affected repos
Each box represents one repo to fix. Open the per-repo Scorecard for the exact workflow files and line numbers:
https://api.securityscorecards.dev/projects/github.com/platform-mesh/<repo>→ look at theToken-Permissionscheckdetails.account-operator— https://api.securityscorecards.dev/projects/github.com/platform-mesh/account-operatorextension-manager-operator— https://api.securityscorecards.dev/projects/github.com/platform-mesh/extension-manager-operatorgolang-commons— https://api.securityscorecards.dev/projects/github.com/platform-mesh/golang-commonshelm-charts— https://api.securityscorecards.dev/projects/github.com/platform-mesh/helm-chartsiam-service— https://api.securityscorecards.dev/projects/github.com/platform-mesh/iam-serviceiam-ui— https://api.securityscorecards.dev/projects/github.com/platform-mesh/iam-uikubernetes-graphql-gateway— https://api.securityscorecards.dev/projects/github.com/platform-mesh/kubernetes-graphql-gatewayocm— https://api.securityscorecards.dev/projects/github.com/platform-mesh/ocmplatform-mesh-operator— https://api.securityscorecards.dev/projects/github.com/platform-mesh/platform-mesh-operatorplatform-mesh.github.io— https://api.securityscorecards.dev/projects/github.com/platform-mesh/platform-mesh.github.ioportal-server-lib— https://api.securityscorecards.dev/projects/github.com/platform-mesh/portal-server-libportal-ui-lib— https://api.securityscorecards.dev/projects/github.com/platform-mesh/portal-ui-libportal— https://api.securityscorecards.dev/projects/github.com/platform-mesh/portalprovider-quickstart— https://api.securityscorecards.dev/projects/github.com/platform-mesh/provider-quickstartrebac-authz-webhook— https://api.securityscorecards.dev/projects/github.com/platform-mesh/rebac-authz-webhooksecurity-operator— https://api.securityscorecards.dev/projects/github.com/platform-mesh/security-operatorsubroutines— https://api.securityscorecards.dev/projects/github.com/platform-mesh/subroutinesupstream-images— https://api.securityscorecards.dev/projects/github.com/platform-mesh/upstream-imagesvirtual-workspaces— https://api.securityscorecards.dev/projects/github.com/platform-mesh/virtual-workspacesObjectives
Token-Permissions: 9/10or10/10.permissions: read-allbecomes the default for new workflows added to platform-mesh repos (consider documenting in.githubrepo).Demo Required
None
Demo Steps
No response
Epic: #278