Set GitHub Workflow permissions to read only
joycebrum opened this issue · comments
Hi I'm from Google and I'm working with the OpenSSF to improve supply chain security of many open source projects by following OpenSSF Scorecard checks.
I would like to suggest a simple but important supply chain good practice which is to always use minimally scoped permissions because the default of GITHUB_TOKEN is write-all.
This way, even in a case of a compromised workflow, the attacker won't be able to do much.
Let me know if that's ok for me to submit a PR with this change and I'll do it ASAP.
That's ok for you to do 👍