GitHub workflows run with write-all permissions. This makes repositories vulnerable to supply-chain attacks.
Given clockwork' workflows are for SAST and unit testing, they don't require such broad permissions. I'd therefore like to help the project close this vulnerability.
This can be done in two ways:
We can add top-level read-only permissions to all the workflows; and/or
You can change the repository settings to change the default permissions from write-all to read-only.
I'll send a PR along with this issue setting the top-level permissions on the workflows.
Or, if you'd rather (or also wish to) change the repository's default settings:
Under "Workflow permissions", set them to "Read repository contents and packages permissions"
Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.
GitHub workflows run with write-all permissions. This makes repositories vulnerable to supply-chain attacks.
Given clockwork' workflows are for SAST and unit testing, they don't require such broad permissions. I'd therefore like to help the project close this vulnerability.
This can be done in two ways:
I'll send a PR along with this issue setting the top-level permissions on the workflows.
Or, if you'd rather (or also wish to) change the repository's default settings:
Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.