joycebrum
commented
11 months ago If a PR is welcome let me know and I'll submit it ASAP
Open joycebrum opened 11 months ago
joycebrum
commented
11 months ago If a PR is welcome let me know and I'll submit it ASAP
diogoteles08
commented
8 months ago Hi! I'm Diogo and I work along with Joyce in Google’s Open Source Security Team.
This issue has been idle for a while. Do you plan on considering this suggestion? Since the changes are actually very simple, I'll take the liberty to raise a PR with them and possibly ease your evaluation =)
Thanks!
Hi, I work at Google together with the OpenSSF to help open source projects improve their supply chain security by using the OpenSSF Scorecard as a guide.
I would like to suggest a PR to change the top-level and run-level permissions for GitHub workflows to only grant write permissions at the run level.
This is necessary because, by default, GitHub grants write-all permissions to all workflows, which could be exploited by an attacker if a workflow is compromised. Limiting permissions is a simple and effective way to limit the impact of a compromised workflow.
Therefore, both the OpenSSF Scorecard and GitHub recommend using minimally scoped credentials.
Please let me know if you have any questions or concerns.