Hi!

I'm Diogo and I work on Google's Open Source Security Team(GOSST) in cooperation with the Open Source Security Foundation (OpenSSF). My core job is to suggest and implement security changes on widely used open source projects 😊

I see that your project currently have only one workflow, the ci.yml, but it is not specifying the permissions for its jobs, so their privileges are being determined by GitHub's defaults. If you define minimal permissions you would be secured against erroneous or malicious actions from external jobs you call from your workflow. It's specially important for the case they get compromised, for example.

The ideal would be to set a top-level read-only permission on all workflows, so that they would be inherited by any job that does not define job-level permissions. Currently your workflow doesn't seem to require any write permissions -- but in case you need them in the future, you can keep the top-level read-only permissions and add the required new permissions as job-level.

Setting minimum permissions for workflows is recommended by GitHub itself and also by other security tools, such as Scorecards and StepSecurity.

Let me know what you think about this. I'd be happy to raise a PR with the changes if you agree.

Could you show the suggested changes? I guess, that's a one line of code?

Sure! I'll open a PR shortly. And yes, it would be a very simple change indeed.