Change workflow permissions to be minimally scoped.

Question

Change workflow permissions to be minimally scoped.

joycebrum opened this issue 2 years ago · 0 comments

Describe the bug

It is a known behavior of github workflow to grant write-all permission. Since it can be exploited by an attacker, it is consider a good practice to always use credentials that are minimally scoped. This is a recommendation from both the OpenSSF Scorecard and the Github.

Expected behavior

I've noticed the rebase.yml is following this practice: the top level permission is set to read and the write permission needed is granted on the job level.

I want to apply the same to the ci_main.yml and ci_ts_latest.

I'll submit a PR with the changes and will be available to any questions or concerns, besides any request changes!

Thanks!

Reproduction code

No response

Reproduction URL

No response

Version

None

Environment

No response

Additional context

No response