pyyaml icon indicating copy to clipboard operation
pyyaml copied to clipboard
verified publisher icon yaml

Set permissions for Github Workflows

Open joycebrum opened this issue 2 years ago • 2 comments

Hi, I work at Google together with the OpenSSF to help open source projects improve their supply chain security by using the OpenSSF Scorecard as a guide.

I would like to suggest a PR to change the top-level and run-level permissions for GitHub workflows to only grant write permissions at the run level.

This is necessary because, by default, GitHub grants write-all permissions to all workflows, which could be exploited by an attacker if a workflow is compromised. Limiting permissions is a simple and effective way to limit the impact of a compromised workflow.

Therefore, both the OpenSSF Scorecard and GitHub recommend using minimally scoped credentials.

Please let me know if you have any questions or concerns.

joycebrum avatar Aug 03 '23 18:08 joycebrum

If a PR is welcome let me know and I'll submit it ASAP

joycebrum avatar Aug 03 '23 18:08 joycebrum

Hi! I'm Diogo and I work along with Joyce in Google’s Open Source Security Team.

This issue has been idle for a while. Do you plan on considering this suggestion? Since the changes are actually very simple, I'll take the liberty to raise a PR with them and possibly ease your evaluation =)

Thanks!

diogoteles08 avatar Oct 12 '23 20:10 diogoteles08