This sets the default permission for CI workflows to only be able to read from the repository (scope: contents).
A compromised action will not be able to modify the repo or
even steal secrets since all other permission-scopes are implicit set to "none", i.e. not permitted.
This sets the default permission for CI workflows to only be able to read from the repository (scope:
contents
).A compromised action will not be able to modify the repo or even steal secrets since all other permission-scopes are implicit set to "none", i.e. not permitted.
More about permissions and scope can be found here: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
Part of #42 and https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions