gabibguti
commented
1 year ago Hi! Friendly ping here. This issue has been idle for quite some time. Do you plan on considering these changes? If yes, please let me know! Otherwise I will wait up to 2 more months to close the issue. Thanks!
miketaylr
Set minimum permissions to workflows is important to keep your repository safe against supply-chain attacks. GitHub gives a GITHUB_TOKEN for workflows to perform actions. The problem is that GITHUB_TOKEN is granted higher permissions by default, making way to supply-chain attacks. If you agree, I can try to adjust the permissions for
auto-publish.ymlworkflow in a PR :)This setting is considered good-practice and recommended by GitHub itself and by other security tools, such as Scorecards and StepSecurity.
Additional context About me, I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)