jbeder
commented
1 year ago Sure! I'd accept a PR, thanks for the offer!
(P.S. I'm also a Googler, so feel free to say hi internally!)
On Wed, Mar 1, 2023 at 11:00 AM diogoteles08 @.***> wrote:
Hi!
I'd like to suggest the definition of minimal permissions on your workflow, as it would harden your security agains supply-chain attacks. I see that you have only one workflow, the build.yml https://github.com/jbeder/yaml-cpp/blob/master/.github/workflows/build.yml, but it does not specify the permissions for its jobs, letting their privileges determined by GitHub's defaults. By defining minimal permissions you would be secured against erroneous or malicious actions from external jobs you call from your workflow. It's specially important for the case they get compromised, for example.
Setting minimum permissions for workflows is recommended by GitHub itself https://docs.github.com/en/actions/security-guides/automatic-token-authentication and also by other security tools, such as Scorecards https://github.com/ossf/scorecard and StepSecurity https://github.com/step-security.
I'd be happy to raise a PR with the changes if you agree. Context
I'm Diogo and I work on Google's Open Source Security Team(GOSST https://github.com/diogoteles08#about-gosst-ghost) in cooperation with the Open Source Security Foundation (OpenSSF https://openssf.org/). My core job is to suggest and implement security changes on widely used open source projects 😊
— Reply to this email directly, view it on GitHub https://github.com/jbeder/yaml-cpp/issues/1174, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAICUBSOBHH2JCBIIHBES4TWZ56CZANCNFSM6AAAAAAVMJ3Z6A . You are receiving this because you are subscribed to this thread.Message ID: @.***>
diogoteles08
Hi!
I'd like to suggest the definition of minimal permissions on your workflow, as it would harden your security agains supply-chain attacks. I see that you have only one workflow, the build.yml, but it does not specify the permissions for its jobs, letting their privileges determined by GitHub's defaults. By defining minimal permissions you would be secured against erroneous or malicious actions from external jobs you call from your workflow. It's specially important for the case they get compromised, for example.
Setting minimum permissions for workflows is recommended by GitHub itself and also by other security tools, such as Scorecards and StepSecurity.
I'd be happy to raise a PR with the changes if you agree.
Context
I'm Diogo and I work on Google's Open Source Security Team(GOSST) in cooperation with the Open Source Security Foundation (OpenSSF). My core job is to suggest and implement security changes on widely used open source projects 😊