zuercher
commented
1 year ago cc @phlax
Open joycebrum opened 1 year ago
zuercher
commented
1 year ago cc @phlax
phlax
commented
1 year ago hi @joycebrum this would be very welcome
we have done some of this previously although im not sure how comprehensively or selectively - these can be tricky to get right (see eg #25742 ), and iirc the repo settings can also play a part
we also recently merged the mobile project and i think these do not have any permissions set so probably you will look at those if you raise a PR - cc @jpsim
github-actions[bot]
commented
1 year ago This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
If you are reporting any crash or any potential security issue, do not open an issue in this repo. Please report the issue via emailing envoy-security@googlegroups.com where the issue will be triaged appropriately.
Title: Set up permissions for Github Workflows
Description: Hi, I 'm from Google working with the OpenSSF to help open source projects to increase their supply-chain security.
I would like to suggest to set the GITHUB_TOKEN permissions of your workflows as read only in the top level and grant any write permission needed at the run level.
It is a default behavior of github workflows to grant write permissions to all permissions, thus it is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.
If a PR is welcome with the changes, let me know.
[optional Relevant Links:]