search

material-components / material-components-web

Modular and customizable Material Design UI components for the web
https://material.io/develop/web
MIT License
17.13k stars 2.15k forks source link

Set permissions for Github Workflows #8007

Closed joycebrum closed 10 months ago

joycebrum commented 1 year ago

Feature Request

Github grants by default all workflows' GITHUB_TOKEN write-all permissions. This allows an attacker to easily exploit this permissions in case of a compromised workflow.

Thus, it is both a recommendation from the OpenSSF Scorecard and the Github itself to always use credentials that are minimally scoped.

This means setting the top level permission as contents: read (usually enough to most actions) or even read-all, and grant any write permission at the job level

Proposed solution

I would like to suggest a PR setting all the top level permissions as read only and grant any write permission needed at job level.

Let me know if you are interested in this change and I'll submit the PR as soon as possible.

Alternatives considered

None

Additional context

I'm working on behalf of Google and the OpenSSF to improve supply chain security in many open source projects.

joycebrum commented 1 year ago

Hi! This issue has been idle for quite some time. Do you plan on considering these changes? If so just let me know and I'll be happy to submit a PR. Otherwise I will wait up to 2 more months to close the issue. Let me know if you rather keep it open as "not planned" for later. Thanks!