-
## Description
There is another security practice I would like to suggest, also recommended by the [OpenSSF Scorecard][scorecard-repo], which is to hash pin dependencies to prevent typosquatting an…
-
### Required prerequisites
- [X] Make sure you've read the [documentation](https://pybind11.readthedocs.io). Your issue may be addressed there.
- [X] Search the [issue tracker](https://github.com/pyb…
-
### TL;DR
GitHub [recently announced](https://github.blog/changelog/2023-04-27-graphql-improvements-for-fine-grained-pats-and-github-apps/) that fine-grained PATs can now be used to call the [GitHu…
-
### What's the problem this feature will solve?
Hi, I work on behalf of Google and OpenSSF to help Open Source Projects to improve their Supply Chain Security.
I saw this interesting PR https://gi…
-
I would like to suggest setting the permissions to the github workflows (the build.yml file) as read only on the [top level](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-gith…
-
Hi!
I'm here to suggest that you set minimal permissions to your GitHub Workflows, because currently they don't specify the permissions for their jobs and their privileges are being determined by G…
-
This has come up in discussions in meetings about whether we might help projects through the assessment process by recommending best practices or common techniques for projects to consider, evaluate a…
-
One of the recommendations we're getting from the OpenSSF Scorecard is that we pin all the github actions workflows we're using using hashes instead of version tags (because tags could be changed but …
-
Adding a Security Policy is important to provide guidance on how users can report potential vulnerabilities and communicate when vulnerabilities will be confirmed, fixed and disclosed to the public.
…
-
**Is your feature request related to a problem? Please describe.**
This feature request is related to a security improvement in order to avoid some types of supply-chain attacks. The GitHub workflows…