Varun Sharma
Varun Sharma
### Description: This PR adds specific permissions to the existing workflows under .github/workflows ### Background GitHub provides a [feature](https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/) to set permissions for the GITHUB_TOKEN. I have implemented a [GitHub...
## Pre-requisites - [X] Prior to submitting a new workflow, please apply to join the GitHub Technology Partner Program: [partner.github.com/apply](https://partner.github.com/apply?partnershipType=Technology+Partner). --- ### **Please note that at this time we are...
The ossf/scorecard project will [add recommended fixes](https://github.com/ossf/scorecard/issues/1850) for security issues in the SARIF file. In such cases, 1. Is it possible to show a "Copy code snippet" button in the...
**What issue type does this pull request address?** (keep at least one, remove the others) /kind enhancement **What does this pull request do? Which issues does it resolve?** (use `resolves...
This PR 1. Adds [harden-runner](https://github.com/step-security/harden-runner) GitHub Action to the `test.yml` workflow. 2. Sets the token permission for the workflow to `contents: read`. This is a security best practice and gets...
This PR adds minimum token permissions for the GITHUB_TOKEN using https://github.com/step-security/secure-workflows. GitHub recommends defining minimum GITHUB_TOKEN permissions for securing GitHub Actions workflows - https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ - https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token - The Open Source...
GitHub asks developers to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks. The Open Source Security Foundation (OpenSSF) [Scorecards](https://github.com/ossf/scorecard) also treats not setting token...
This PR adds specific permissions to the existing workflows under .github/workflows. ### Background I am the founder of [Step Security](https://www.stepsecurity.io), and have implemented a [GitHub App](https://github.com/apps/step-security) to automatically restrict permissions...
This PR makes two changes to the test_suite.yml workflow 1. Adds minimum token permissions for the `GITHUB_TOKEN`. This is a security best practice as per [GitHub Actions Hardening Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#restricting-permissions-for-tokens) and...
As part of increasing confidence that the build artifact is reproducible (and has not been tampered during build), would you like to add a reproducible build badge to Scorecard? I...