browser-compat-data icon indicating copy to clipboard operation
browser-compat-data copied to clipboard

Published 20 hours ago verified publisher icon mdn

chore: Set permissions for GitHub actions

Open neilnaveen opened this issue 3 years ago • 2 comments

Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

  • Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Signed-off-by: neilnaveen [email protected]

neilnaveen avatar Jun 25 '22 01:06 neilnaveen

Thank you for your pull request @neilnaveen! Welcome to the community. I am wondering, for workflows that are reused from mdn/workflows, should we not set these from that repo from the get go?

schalkneethling avatar Jun 26 '22 20:06 schalkneethling

Thank you for your pull request @neilnaveen! Welcome to the community. I am wondering, for workflows that are reused from mdn/workflows, should we not set these from that repo from the get go?

Yes, it needs to be set over there. I don't know if it also has to be set here. Thanks

neilnaveen avatar Jul 04 '22 19:07 neilnaveen