This repository has a Scorecards score of 4.5/10 with 10 being the most secure. The Token-Permissions category has a score of 0/10. The link to the score is here.
We have fixed this repo's workflow for you by adding permissions for the involved jobs. You can use StepSecurity online tool to secure workflows for your other repos.
GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.
StepSecurity is working on securing GitHub Actions and OSSF Scorecards recommends using the StepSecurity secure-workflows online tool to improve the security of GitHub workflows.
This repository has a Scorecards score of 4.5/10 with 10 being the most secure. The Token-Permissions category has a score of 0/10. The link to the score is here.
We have fixed this repo's workflow for you by adding permissions for the involved jobs. You can use StepSecurity online tool to secure workflows for your other repos.