You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Setting minimum permissions to workflows is important to keep your repository safe against supply-chain attacks. GitHub grants a GITHUB_TOKEN with higher permissions than necessary by default for workflows. With higher permissions, if your workflow suffers an attack, the attacker would be able to push malicious code to your repository for example. To avoid that, we set minimum permissions.
I see both workflows, fossa.yaml and go.yml, don't need much permissions, so setting contents: read should be enough. If you agree with the changes, I can open a PR!
This is considered good-practice and recommended by GitHub and other security tools, such as Scorecards and StepSecurity.
Additional context
I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)
The text was updated successfully, but these errors were encountered:
Setting minimum permissions to workflows is important to keep your repository safe against supply-chain attacks. GitHub grants a GITHUB_TOKEN with higher permissions than necessary by default for workflows. With higher permissions, if your workflow suffers an attack, the attacker would be able to push malicious code to your repository for example. To avoid that, we set minimum permissions.
I see both workflows,
fossa.yaml
andgo.yml
, don't need much permissions, so settingcontents: read
should be enough. If you agree with the changes, I can open a PR!This is considered good-practice and recommended by GitHub and other security tools, such as Scorecards and StepSecurity.
Additional context
I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)
The text was updated successfully, but these errors were encountered: