Closed joycebrum closed 1 year ago
Is this issue appropriate for the repository?
Yeah, in order to ensure the integrity of the files this project is responsible for and the build process related to it.
Describe the bug
Similar to what was done https://github.com/KhronosGroup/SPIRV-Headers/issues/341 and https://github.com/KhronosGroup/glslang/issues/3148 I'd also to suggest that the Vulkan-Headers' workflows (linux.yml) run with minimal permission instead of the github default: write-all.
Expected behavior The linux.yml workflow should only run with the needed permissions (basically contents: read) instead of all the write permissions granted by default from Github
Screenshots Current permissions granted (from https://github.com/KhronosGroup/Vulkan-Headers/actions/runs/4949330751)
Minimal permissions granted
Additional context It is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.
Is this issue appropriate for the repository?
Yeah, in order to ensure the integrity of the files this project is responsible for and the build process related to it.
Describe the bug
Similar to what was done https://github.com/KhronosGroup/SPIRV-Headers/issues/341 and https://github.com/KhronosGroup/glslang/issues/3148 I'd also to suggest that the Vulkan-Headers' workflows (linux.yml) run with minimal permission instead of the github default: write-all.
Expected behavior The linux.yml workflow should only run with the needed permissions (basically contents: read) instead of all the write permissions granted by default from Github
Screenshots Current permissions granted (from https://github.com/KhronosGroup/Vulkan-Headers/actions/runs/4949330751)
Minimal permissions granted
Additional context It is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.