Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set minimal permissions to Github Workflows #3971

Closed
2 tasks
joycebrum opened this issue Mar 9, 2023 · 0 comments · Fixed by #3972
Closed
2 tasks

Set minimal permissions to Github Workflows #3971

joycebrum opened this issue Mar 9, 2023 · 0 comments · Fixed by #3972
Labels
kind: bug solution: proposed fix a fix for the issue has been proposed and waits for confirmation
Milestone
Release 3.11.3

Comments

@joycebrum
Copy link
Contributor

Description

I would like to also suggest another supply-chain security, if I may, which is to use credentials that are minimally scoped.

This is one aspect of supply-chain security checked by the OpenSSF Scorecard and also strongly recommended by the GitHub Security.

Thus, setting top level permissions to contents: read and all write permissions being granted on run level is a simple but important practice regarding GitHub Workflows.

I'll suggest a PR with the permissions changes to be easier to understand them, so let me know if you have any doubts or concerns.

Reproduction steps

None

Expected vs. actual results

Expected:

GITHUB_TOKEN to be initialized with minimal permissions

Actual:
GITHUB_TOKEN has all write permissions

Minimal code example

permissions:
    contents: read

Error messages

No response

Compiler and operating system

None

Library version

None

Validation
@joycebrum joycebrum changed the title Set minimal workflow permissions to Github Workflows Set minimal permissions to Github Workflows Mar 9, 2023
@joycebrum joycebrum mentioned this issue Mar 9, 2023
Merged
4 tasks
@nlohmann nlohmann added this to the Release 3.11.3 milestone Mar 13, 2023
@nlohmann nlohmann added the solution: proposed fix a fix for the issue has been proposed and waits for confirmation label Mar 13, 2023
@nlohmann nlohmann mentioned this issue Nov 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind: bug solution: proposed fix a fix for the issue has been proposed and waits for confirmation
Projects
None yet
Milestone
Release 3.11.3
Development

Successfully merging a pull request may close this issue.

Set minimal permissions to Github Workflows
2 participants
@nlohmann @joycebrum