As a maintainer
I want to use read-only default workflow permissions with elevated permissions specified only where required
So that the security exposure to malicious contributions is minimised
See the OpenSFF Scorecard Token-Permissions documentation for further background.
Rather than having each workflow explicitly set a top-level read permission, workflow jobs will explicitly specify any elevated permissions required. The repository settings will be changed to adopt read-only permission as the default for all workflows.
As a maintainer I want to use read-only default workflow permissions with elevated permissions specified only where required So that the security exposure to malicious contributions is minimised
See the OpenSFF Scorecard Token-Permissions documentation for further background.
Rather than having each workflow explicitly set a top-level read permission, workflow jobs will explicitly specify any elevated permissions required. The repository settings will be changed to adopt read-only permission as the default for all workflows.