node-v8 icon indicating copy to clipboard operation
node-v8 copied to clipboard

Published 20 hours ago verified publisher icon nodejs

ci: add minimum GitHub token permissions for workflow

Open ashishkurmi opened this issue 3 years ago • 0 comments

Description

This PR adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using secure-workflows.

The GitHub Actions workflow has a GITHUB_TOKEN with write access to multiple scopes. Here is an example of the permissions in one of the workflow runs: https://github.com/nodejs/node-v8/actions/runs/3167512719/jobs/5158057075#step:1:19

After this change, the scopes will be reduced to the minimum needed for the following workflow:

  • update-canary.yml

Motivation and Context

  • This is a security best practice, so if the GITHUB_TOKEN is compromised due to a vulnerability or compromised Action, the damage will be reduced.
  • GitHub recommends defining minimum GITHUB_TOKEN permissions.
  • The Open Source Security Foundation (OpenSSF) Scorecards also treats not setting token permissions as a high-risk issue. This change will help increase the Scorecard score for this repository.

Signed-off-by: Ashish Kurmi [email protected]

ashishkurmi avatar Oct 02 '22 21:10 ashishkurmi