Closed gabibguti closed 10 months ago
Hey @gabibguti. Thanks for the heads up! We're actually in the process of migrating to an entirely new repo with an entirely new actions setup very soon. We'll definitely be sure to address the issue you raised as part of that migration.
@jrhemstad Ok, great! If you need any help setting it up for the new repo, let me know!
Closing in favor of https://github.com/NVIDIA/cccl/issues/919
Set minimum permissions to workflows helps keep the workflows more safe against supply-chain attacks. GitHub gives higher permissions to workflows by default but it's good practice to adjust them to the minimum permissions necessary.
To do that, we check what actions are used in the workflow and what permissions they need. For example, in
deploy-documentation-github-pages.yml
we have the actionpeaceiris/actions-gh-pages
which needscontents: write
permission to push to a repository branch. We should do that to all workflows to make sure we're following least privilege access rule.If you agree with the changes, I can open a PR!
This setting is recommended by security tools, such as Scorecards and StepSecurity.
Additional Context
I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)