Set minimum permissions to workflows #76
Comments
|
Thanks, @gabibguti! |
abhinav
added a commit
that referenced
this issue
Mar 20, 2023
Reduces the permissions available to GitHub Workflows to read-only since they don't do much otherwise. Resolves #76
abhinav
added a commit
that referenced
this issue
Mar 20, 2023
Reduces the permissions available to GitHub Workflows to read-only since they don't do much otherwise. Resolves #76
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Setting minimum permissions to workflows is important to keep your repository safe against supply-chain attacks. GitHub grants a GITHUB_TOKEN with higher permissions than necessary by default for workflows. With higher permissions, if your workflow suffers an attack, the attacker would be able to push malicious code to your repository for example. To avoid that, we set minimum permissions.
I see both workflows,
fossa.yamlandgo.yml, don't need much permissions, so settingcontents: readshould be enough. If you agree with the changes, I can open a PR!This is considered good-practice and recommended by GitHub and other security tools, such as Scorecards and StepSecurity.
Additional context
I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)
The text was updated successfully, but these errors were encountered: