Hi! I'm from GOSST (Google Open Source Security Team) team and I'd like to contribute to uuid to in order to improve its supply-chain security.
My suggestion here is basically set up the permissions to the github workflows as read only on the top level and any write permission be given at the run level.
This is necessary due to a behavior of github workflow to grant to GITHUB_TOKEN write permissions to all types of permissions, regardless of they being used or not. In case of the workflow getting compromised, an attacker can exploit this permissions.
Thus, it is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.
I'll soon submit a PR to show the changes I listed above. Please, feel free to reach me out in case of any doubts or concerns.
Hi! I'm from GOSST (Google Open Source Security Team) team and I'd like to contribute to uuid to in order to improve its supply-chain security.
My suggestion here is basically set up the permissions to the github workflows as read only on the top level and any write permission be given at the run level.
This is necessary due to a behavior of github workflow to grant to GITHUB_TOKEN write permissions to all types of permissions, regardless of they being used or not. In case of the workflow getting compromised, an attacker can exploit this permissions.
Thus, it is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.
I'll soon submit a PR to show the changes I listed above. Please, feel free to reach me out in case of any doubts or concerns.