Open pnacht opened 1 year ago
@juliusvonkohout: Closing this issue.
/reopen
since it is about github actions, not kubeflow pipelines
@juliusvonkohout: Reopened this issue.
/transfer notebooks
@pnacht: The label(s) kind/feature
cannot be applied, because the repository doesn't have them.
/kind feature
Why you need this feature:
Kubeflow's workflows are running with write-all permissions. This puts the project at risk of supply-chain attacks.
I took a look at all the workflows and none of them seem to require significant permissions.
Describe the solution you'd like:
There are two solutions:
I'll send a PR setting top-level permissions for all workflows. If you also/instead want to change the default token:
Anything else you would like to add:
My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.