Set permissions to GITHUB_TOKEN
joycebrum opened this issue · 1 comments
joycebrum commented
Hi, I'm Joyce, from the Google Open Source Security Team (GOSST). Setting the GITHUB_TOKEN permission is one of the OSSF Scorecard recommendation -- called Token-Permissions check.
The default permissions given to GITHUB_TOKEN is write all, which can be exploited by an attacker in case of a compromised action.
To mitigate this risk it is important to Use credentials that are minimally scoped.
I'll submit a PR together with the issue. Thanks.
bhack commented
Hi thank you for the PR. We will check It soon