Describe the bug
SentencePiece's automated workflows currently run with write-all tokens. This puts the project at risk of supply-chain attacks. GitHub recommends ensuring all workflows run with minimal permissions.
I've taken a look at the workflows and they don't need broad permissions.
This issue can be solved in two ways:
add top-level read-only permissions to all workflows; and/or
set the default token permissions to read-only in the repo settings.
I'll be sending a PR along with this issue that sets the top-level permissions (and grants additional permissions for the jobs that need them). If you instead (or also) wish to modify the default token permissions:
Hi, it's Pedro and I'm back (see https://github.com/google/sentencepiece/pull/934) with another security suggestion!
Describe the bug SentencePiece's automated workflows currently run with write-all tokens. This puts the project at risk of supply-chain attacks. GitHub recommends ensuring all workflows run with minimal permissions.
I've taken a look at the workflows and they don't need broad permissions.
This issue can be solved in two ways:
I'll be sending a PR along with this issue that sets the top-level permissions (and grants additional permissions for the jobs that need them). If you instead (or also) wish to modify the default token permissions: