laurentsimon

how about the scenario where `ref` is used and permissions are set to `XXX:write` but `XXX` is not `contents` or `packages`?

you're right, absolutely. I think I was assuming there's no secrets besides the default (permission-restricted) GitHub secret used in the PR.

spot on, we got an alert in the scanning dashboard now https://github.com/ossf/scorecard/blob/58865e959e3a782d3f3cd5a5ae952ac308c11a46/.github/workflows/integration.yml#L35-L35 @chrismcgehee would looking for `needs` field be enough to reduce false positives in this case? Or would it...

this should not be a very one to fix. Interested in giving it a try?

You should be able to use https://pkg.go.dev/github.com/rhysd/actionlint#Environment API to retrieve the environment.

you're right. We could maybe assume that the presence of an environment is enough. But if we think this is dangerous, then maybe leaving it as a risk that users...

Thanks for the report, and sorry for the late reply.. I've missed your issue! What you suggest seems like a reasonable thing to do. The only drawback is that the...

@naveensrinivasan @azeemsgoogle @justaugustus any comment or thoughts on this?

Would anyone object if we returned inconclusive results for ecosystems not supported by dependabot and other tools? I think this is what `refuse to score a scenario that's impossible to...

to your last point: I would like to enable maintainers to explain their score/results, for example thru code annotation (or anything else really), so that we can provide that data...