Set github workflow permissions to least privileges

Question

Set github workflow permissions to least privileges

joycebrum opened this issue a year ago · 2 comments

I would like to suggest setting the permissions to the github workflows (the build.yml file) as read only on the top level and any write permission be given at the run level.

This is necessary due to a behavior of github workflow to grant to GITHUB_TOKEN write permissions to all types of permissions, regardless of they being used or not. In case of the workflow getting compromised, an attacker can exploit this permissions.

Thus, it is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.

If that's ok for you let me know and I'll submit a PR with the changes.

Disclosure: I'm from Google, working with the OpenSSF to help many open source projects to increase their supply-chain security.

Answer 1 · 2023-03-15T06:21:04.000Z

Yes please go ahead and submit a PR and I'll take a look at it.

Answer 2 · 2023-04-20T15:32:55.000Z

Has been merged, sorry for forgetting about it, happened while I was travelling in Japan.