diogoteles08
commented
1 year ago Hey! This issue has been idle for quite some time. Do you plan on considering these changes? Otherwise I will wait up to 2 more months and then close the issue. Thanks!
Closed diogoteles08 closed 1 year ago
diogoteles08
commented
1 year ago Hey! This issue has been idle for quite some time. Do you plan on considering these changes? Otherwise I will wait up to 2 more months and then close the issue. Thanks!
diogoteles08
commented
1 year ago Hi, I noticed this issue has been idle for 5 months. I'm closing this issue and its correspondent pull request as it is no longer considered active.
If you'd like to continue considering this change, please reopen it and let me know.
Thanks, Diogo
Hi!
I'm Diogo and I work on Google's Open Source Security Team(GOSST) in cooperation with the Open Source Security Foundation (OpenSSF). My core job is to suggest and implement security changes on widely used open source projects 😊
I'm here to suggest the definition of minimal permissions on your workflow, as it would harden your security agains supply-chain attacks. I see that you have only one workflow, the go.yml, but it does not specify the permissions for its jobs, letting their privileges determined by GitHub's defaults. By defining minimal permissions you would be secured against erroneous or malicious actions from external jobs you call from your workflow. It's specially important for the case they get compromised, for example.
Setting minimum permissions for workflows is recommended by GitHub itself and also by other security tools, such as Scorecards and StepSecurity.
As the changes would be very simple, I'll take the liberty to raise a PR and ease your evaluation of the changes.