Set minimal permissions to github workflow
joycebrum opened this issue · comments
I would like to suggest setting the permissions to the github workflows (currently the main.yml file) as read only on the top level and any write permission be given at the run level.
This is necessary due to a behavior of github workflow to grant to GITHUB_TOKEN write permissions to all types of permissions, regardless of they being used or not. In case of the workflow getting compromised, an attacker can exploit this permissions.
Thus, it is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.
I'll submit a PR with the following changes, so feel free to raise any questions you might have.
Thanks!
Disclosure: I'm from Google, working with the OpenSSF to help many open source projects to increase their supply-chain security.