mhdawson
commented
1 year ago - Kevin mentioned branch protection in the last meeting.
Closed mhdawson closed 1 year ago
mhdawson
commented
1 year ago 
KevinEady
commented
1 year ago main (For GitHub, check out the steps here.)v2.x-staging, v1.x-stagingmainnode-addon-api...?mhdawson
commented
1 year ago Add branch protection for both node-addon-api and node-addon-examples.
mhdawson
commented
1 year ago PR to add boilerplate files to node-addon-examples - https://github.com/nodejs/node-addon-examples/pull/213
mhdawson
commented
1 year ago @KevinEady can you expand a bit on Make GitHub Actions CI workflow tokens read-only
mhdawson
commented
1 year ago PR to add best practices to node-addon-api - https://github.com/nodejs/node-addon-examples/pull/214
KevinEady
commented
1 year ago Hi @mhdawson,
... can you expand a bit on
Make GitHub Actions CI workflow tokens read-only
From Assigning permissions to jobs - GitHub Docs:
You can use
permissionsto modify the default permissions granted to the GITHUB_TOKEN, adding or removing access as required, so that you only allow the minimum required access.
This is for the principle of least privilege, as discussed in the Token-Permissions Check documentation.
This was mostly addressed by the SecurityBot PR https://github.com/nodejs/node-addon-examples/pull/214 , eg: https://github.com/nodejs/node-addon-examples/pull/214/commits/a05f82c2fc9fc2b6b3668de65ce057b053fab6c8#diff-e98936aa52a6dd7416e4296e9628456227d834f7245967383fd9ff80fd985dadR9-R11 but it skipped a workflow that I added to the PR in this commit.
So once this PR is merged, we can say that the Token-Permissions issue has been addressed and we will receive full points.
mhdawson
commented
1 year ago @KevinEady I think I merged the PR you mentioned, so we should be able to close this now?
https://deps.dev/project/github/nodejs%2Fnode-addon-api https://deps.dev/project/github/nodejs%2Fnode-addon-examples