You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm here to suggest that you set minimal permissions to your GitHub Workflow, because currently it doesn't specify the permissions for their jobs and their privileges are being determined by GitHub's defaults. Defining minimal permissions secures you against erroneous or malicious behaviour from external jobs you call from your workflow. It's specially important for the case they get compromised, for example.
It's a very simple change! I'd only add
permissions:
contents: read
at the root of your workflow, and that would set a top-level read-only permission that would be inherited by any job that does not define job-level permissions. It seems that currently none of your workflows require write permissions -- but in case you need them in the future, you'd keep the top-level read-only permissions and add the required write permissions as job-level.
Setting minimum permissions for workflows is recommended by GitHub itself and also by other security tools, such as Scorecards and StepSecurity.
Giving the simplicity of the change, I'll take the liberty and create a PR with contribution so you can evaluate it easier.
Context
I'm Diogo and I work on Google's Open Source Security Team(GOSST) in cooperation with the Open Source Security Foundation (OpenSSF). My core job is to suggest and implement security changes on widely used open source projects 😊
The text was updated successfully, but these errors were encountered:
Hello @sybrenstuvel! This issue has been idle for quite some time. Do you plan on considering these changes? Otherwise I will wait up to 2 more months and close the issue.
Hi!
I'm here to suggest that you set minimal permissions to your GitHub Workflow, because currently it doesn't specify the permissions for their jobs and their privileges are being determined by GitHub's defaults. Defining minimal permissions secures you against erroneous or malicious behaviour from external jobs you call from your workflow. It's specially important for the case they get compromised, for example.
It's a very simple change! I'd only add
at the root of your workflow, and that would set a top-level read-only permission that would be inherited by any job that does not define job-level permissions. It seems that currently none of your workflows require write permissions -- but in case you need them in the future, you'd keep the top-level read-only permissions and add the required write permissions as job-level.
Setting minimum permissions for workflows is recommended by GitHub itself and also by other security tools, such as Scorecards and StepSecurity.
Giving the simplicity of the change, I'll take the liberty and create a PR with contribution so you can evaluate it easier.
Context
I'm Diogo and I work on Google's Open Source Security Team(GOSST) in cooperation with the Open Source Security Foundation (OpenSSF). My core job is to suggest and implement security changes on widely used open source projects 😊
The text was updated successfully, but these errors were encountered: