Ganeti is a virtual machine cluster management tool built on top of existing virtualization technologies such as Xen or KVM and other open source software.
Currently GH actions can use GITHUB_TOKEN to possibly modify repositories/actions etc. from within a job. This commit restricts the use of the GITHUB_TOKEN in all existing workflows to read-only actions (more fine-grained configuration is possible).
There are also other low-hanging-fruit improvements like adding a SECURITY.md to our project with information on how to report security vulnerabilities (and also define what a vulnerability is from a Ganeti point of view). If anyone wants to take on that job... :-)
Currently GH actions can use GITHUB_TOKEN to possibly modify repositories/actions etc. from within a job. This commit restricts the use of the GITHUB_TOKEN in all existing workflows to read-only actions (more fine-grained configuration is possible).
This has been uncovered by the OpenSSF security scorecard (see Token-Permissions check documentation for more details).
There are also other low-hanging-fruit improvements like adding a
SECURITY.mdto our project with information on how to report security vulnerabilities (and also define what a vulnerability is from a Ganeti point of view). If anyone wants to take on that job... :-)