Hi, I'm from google and the openSSF and I'm working on improving supply-chain security on many open sources.
I would like to suggest to set the GITHUB_TOKEN permissions of your workflows as read only in the top level and grant any write permission needed at the run level.
It is a default behavior of github workflows to grant write permissions to all permissions, thus it is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.
I'll send a PR just to show what the changes are about, but fell free to reach me out in case of any doubts or concerns about it, and I hope I can help pycparser to increase its supply-chain security even more.
Hi, I'm from google and the openSSF and I'm working on improving supply-chain security on many open sources.
I would like to suggest to set the GITHUB_TOKEN permissions of your workflows as read only in the top level and grant any write permission needed at the run level.
It is a default behavior of github workflows to grant write permissions to all permissions, thus it is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.
I'll send a PR just to show what the changes are about, but fell free to reach me out in case of any doubts or concerns about it, and I hope I can help pycparser to increase its supply-chain security even more.