diogoteles08
commented
1 year ago Hey! This issue has been idle for quite some time. Do you plan on considering these changes? Otherwise I will wait up to 2 more months and then close the issue.
As the changes would be really simple, I've taken the liberty of already creating a PR that should make it easier to preview them.
Thanks!
Hi!
I'm here to suggest the definition of minimal permissions on your workflows, as it would harden your security agains supply-chain attacks.
The idea is to update your workflows to set top-level read-only permissions that would be inherited to all jobs that don't declare their permissions; and for the jobs that require any write permissions, they'd be given job-level. Defining minimal permissions would enhance security against erroneous or malicious actions from external jobs you call from your workflow. It's specially important for the case they get compromised, for example.
Setting minimum permissions for workflows is recommended by GitHub itself and also by other security tools, such as Scorecards and StepSecurity.
I'd be happy to raise a PR with the changes if you agree.
Context
I'm Diogo and I work on Google's Open Source Security Team(GOSST) in cooperation with the Open Source Security Foundation (OpenSSF). My core job is to suggest and implement security changes on widely used open source projects 😊