I would like to also suggest another supply-chain security, if I may, which is to use credentials that are minimally scoped.
This is one aspect of supply-chain security checked by the OpenSSF Scorecard and also strongly recommended by the GitHub Security.
Thus, setting top level permissions to contents: read and all write permissions being granted on run level is a simple but important practice regarding GitHub Workflows.
I'll suggest a PR with the permissions changes to be easier to understand them, so let me know if you have any doubts or concerns.
Reproduction steps
None
Expected vs. actual results
Expected:
GITHUB_TOKEN to be initialized with minimal permissions
Actual:
GITHUB_TOKEN has all write permissions
Minimal code example
permissions:
contents: read
Error messages
No response
Compiler and operating system
None
Library version
None
Validation
[ ] The bug also occurs if the latest version from the develop branch is used.
Description
I would like to also suggest another supply-chain security, if I may, which is to use credentials that are minimally scoped.
This is one aspect of supply-chain security checked by the OpenSSF Scorecard and also strongly recommended by the GitHub Security.
Thus, setting top level permissions to
contents: readand all write permissions being granted on run level is a simple but important practice regarding GitHub Workflows.I'll suggest a PR with the permissions changes to be easier to understand them, so let me know if you have any doubts or concerns.
Reproduction steps
None
Expected vs. actual results
Expected:
GITHUB_TOKEN to be initialized with minimal permissions
Actual: GITHUB_TOKEN has all write permissions
Minimal code example
Error messages
No response
Compiler and operating system
None
Library version
None
Validation
developbranch is used.