bhack
commented
11 months ago Hi thank you for the PR. We will check It soon
Closed joycebrum closed 11 months ago
bhack
commented
11 months ago Hi thank you for the PR. We will check It soon
Hi, I'm Joyce, from the Google Open Source Security Team (GOSST). Setting the GITHUB_TOKEN permission is one of the OSSF Scorecard recommendation -- called Token-Permissions check.
The default permissions given to GITHUB_TOKEN is write all, which can be exploited by an attacker in case of a compromised action.
To mitigate this risk it is important to Use credentials that are minimally scoped.
I'll submit a PR together with the issue. Thanks.