mm2
commented
1 year ago Hello Diogo, thanks for contacting. Of course it will help a lot if you can setup a PR so after code scrutiny we could integrate it. Thanks for your help!
Closed diogoteles08 closed 1 year ago
mm2
commented
1 year ago Hello Diogo, thanks for contacting. Of course it will help a lot if you can setup a PR so after code scrutiny we could integrate it. Thanks for your help!
diogoteles08
commented
1 year ago Sure! I'll raise a PR shortly =)
mm2
commented
1 year ago Thanks for the PR, will merge it soon
diogoteles08
commented
1 year ago Hey @mm2, I'm coming back to this issue because seems like the changes of my PR #368 are not on the code anymore. However I looked into the commit history and there is no commit directly removing the changes. Was the removal intentional? If not, I'd be happy to raise a new PR fixing it
mm2
commented
1 year ago @diogoteles08 Many thanks for pointing out, I didn't notice those changes were lost. No, it was not intentional, I assume the PR I accepted for meson build broke the file. It would be great if you could manage to setup a PR. Thanks again!
diogoteles08
commented
1 year ago Great! I've just opened a new PR on this.
My core job is to look over important OSS projects and suggest security enhancements, so I'll be around to suggest and possibly implement changes like this one. However, if you'd like to take a closer look yourself into the security posture of your repo, you can use the Scorecard GitHub Action. It would automatically run some security checks over your repo and propose fixes directly on your Security Tab. As an example, it would have alerted you when my changes on the permissions were lost.
Additionally, if you decide to make the security changes yourself, your changes might be eligible to financial rewards through Secure Open Source Rewards 😄.
Hello!
I'm Diogo and I work on Google's Open Source Security Team(GOSST) in cooperation with the Open Source Security Foundation (OpenSSF). My core job is to suggest and implement security changes on widely used open source projects 😊
I'm here to suggest the definition of minimal permissions on your workflows, as it would harden your security agains supply-chain attacks. The idea is to update your workflows to set top-level read-only permissions that would be inherited to all jobs that don't declare their permissions; and for the jobs that require any write permissions, they'd be given job-level. Defining minimal permissions would enhance security against erroneous or malicious actions from external jobs you call from your workflow. It's specially important for the case they get compromised, for example.
Setting minimum permissions for workflows is recommended by GitHub itself and also by other security tools, such as Scorecards and StepSecurity.
Please let me know what you think about this change, I'd be happy to raise a PR with it if you agree.