search

pytorch / cpuinfo

CPU INFOrmation library (x86/x86-64/ARM/ARM64, Linux/Windows/Android/macOS/iOS)
BSD 2-Clause "Simplified" License
990 stars 310 forks source link

Set read-only workflow permissions #145

Closed pnacht closed 1 year ago

pnacht commented 1 year ago

Currently, cpuinfo's build.yml workflow runs with write-all permissions. This is dangerous, since it opens the project up to supply-chain attacks. GitHub itself recommends ensuring all workflows run with minimal permissions.

The workflow seems to only build the package in different architectures, and as such doesn't require broad permissions.

This issue can be solved in two ways:

I'll be sending a PR along with this issue that sets the top-level permissions. If you instead (or also) wish to modify the default token permissions:

  1. Open the repo settings
  2. Go to Actions > General
  3. Under "Workflow permissions", set them to "Read repository contents and packages permissions"

Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.

Maratyszcza commented 1 year ago

@malfet Can you set the default token permissions?

malfet commented 1 year ago

@Maratyszcza changed permissions to "Read repository contents and packages permissions"