goatandsheep / rc

The non-configurable configuration loader for lazy people.
https://www.npmjs.com/package/run-con
Other
7 stars 1 forks source link

Set least privilege permissions for GitHub Workflow tokens #29

Closed gabibguti closed 2 years ago

gabibguti commented 2 years ago

Proposal

Hello, I'm working on behalf of Google and the Open Source Security Foundation to help open-source projects improve their supply-chain security.

I see we are not setting minimum permissions for the GitHub Workflows in this project. And how does that matter? Setting minimum permission is interesting to prevent attackers from using a compromised GITHUB_TOKEN with write access to push malicious code into the project. And how do we do that? By setting permissions on each workflow to read only, or the least access they need.

This is considered a security best practice and therefore helps improve the project's security posture.

Would you be interested in a PR to do this?

Additional Context

Setting least privilege permissions is recommended by:

Let me know if you have any questions!

github-actions[bot] commented 2 years ago

Hey, thank you for opening this issue! 🙂 To boost priority on this issue and support open source please tip the team at https://issuehunt.io/r/goatandsheep/rc/issues/29

goatandsheep commented 2 years ago

Hi @gabibguti sure I'm open to it