Hello, I'm working on behalf of Google and the Open Source Security Foundation to help open-source projects improve their supply-chain security.
I see we are not setting minimum permissions for the GitHub Workflows in this project. And how does that matter? Setting minimum permission is interesting to prevent attackers from using a compromised GITHUB_TOKEN with write access to push malicious code into the project. And how do we do that? By setting permissions on each workflow to read only, or the least access they need.
This is considered a security best practice and therefore helps improve the project's security posture.
Would you be interested in a PR to do this?
Additional Context
Setting least privilege permissions is recommended by:
Proposal
Hello, I'm working on behalf of Google and the Open Source Security Foundation to help open-source projects improve their supply-chain security.
I see we are not setting minimum permissions for the GitHub Workflows in this project. And how does that matter? Setting minimum permission is interesting to prevent attackers from using a compromised GITHUB_TOKEN with write access to push malicious code into the project. And how do we do that? By setting permissions on each workflow to read only, or the least access they need.
This is considered a security best practice and therefore helps improve the project's security posture.
Would you be interested in a PR to do this?
Additional Context
Setting least privilege permissions is recommended by:
Let me know if you have any questions!