Set permissions for Github Workflows #738
Comments
|
If a PR is welcome let me know and I'll submit it ASAP |
|
Hi! I'm Diogo and I work along with Joyce in Google’s Open Source Security Team. This issue has been idle for a while. Do you plan on considering this suggestion? Since the changes are actually very simple, I'll take the liberty to raise a PR with them and possibly ease your evaluation =) Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, I work at Google together with the OpenSSF to help open source projects improve their supply chain security by using the OpenSSF Scorecard as a guide.
I would like to suggest a PR to change the top-level and run-level permissions for GitHub workflows to only grant write permissions at the run level.
This is necessary because, by default, GitHub grants write-all permissions to all workflows, which could be exploited by an attacker if a workflow is compromised. Limiting permissions is a simple and effective way to limit the impact of a compromised workflow.
Therefore, both the OpenSSF Scorecard and GitHub recommend using minimally scoped credentials.
Please let me know if you have any questions or concerns.
The text was updated successfully, but these errors were encountered: