You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, I work with Google and the OpenSSF to improve supply-chain security on many open source projects.
The supply-chain security improvement I would like to suggest is basically set up the permissions to the github workflows as read only on the top level and any write permission be given at the run level.
This is necessary due to a behavior of github workflow to grant to GITHUB_TOKEN write permissions to all types of permissions, regardless of they being used or not. In case of the workflow getting compromised, an attacker can exploit this permissions.
Thus, it is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.
I'll soon submit a PR to show the changes I listed above. Please, feel free to reach me out in case of any doubts or concerns.
The text was updated successfully, but these errors were encountered:
Hi, I work with Google and the OpenSSF to improve supply-chain security on many open source projects.
The supply-chain security improvement I would like to suggest is basically set up the permissions to the github workflows as read only on the top level and any write permission be given at the run level.
This is necessary due to a behavior of github workflow to grant to GITHUB_TOKEN write permissions to all types of permissions, regardless of they being used or not. In case of the workflow getting compromised, an attacker can exploit this permissions.
Thus, it is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.
I'll soon submit a PR to show the changes I listed above. Please, feel free to reach me out in case of any doubts or concerns.
The text was updated successfully, but these errors were encountered: