Closed gabibguti closed 10 months ago
Hi! Friendly ping here. This issue has been idle for quite some time. Do you plan on considering these changes? If yes, please let me know! Otherwise I will wait up to 2 more months to close the issue. Thanks!
Hey! Just to let you know I'm closing this issue. If you want to consider this change, please reopen :)
Add minimum permissions to GitHub workflows is important to protect your repository against supply-chain attacks. The
fuzz.yml
workflow just needs minimum permissionscontents: read
andtests.yml
needs a special permission only for thecoveralls
job. By default, GitHub gives higher permissions to workflows but recommends adjusting them.This is considered good-practice and is also recommended by other security tools, such as Scorecards and StepSecurity.
Additional Context
I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :) If you agree with the changes, I can open a PR.