cointop-sh / cointop

A fast and lightweight interactive terminal based UI application for tracking cryptocurrencies 🚀
https://cointop.sh
Apache License 2.0
3.94k stars 309 forks source link

Add token permissions for go.yml #306

Closed arjundashrath closed 2 years ago

arjundashrath commented 2 years ago

GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.

StepSecurity is working on securing GitHub workflows and OSSF Scorecards recommends using StepSecurity's secure-workflows online tool app.stepsecurity.io to improve the security of GitHub workflows.

This repository has a Scorecards score of 0/10 in the Token-Permissions category with 10 being the most secure.

We have fixed one of the repo's workflow(s) for you by adding permissions for the involved jobs. You can secure the rest of the workflows for improved security by using the StepSecurity online tool at app.stepsecurity.io.

miguelmota commented 2 years ago

@arjundashrath thanks! that's a great tool