You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi! I'm from GOSST (Google Open Source Security Team) team and I'd like to contribute to uuid to in order to improve its supply-chain security.
My suggestion here is basically set up the permissions to the github workflows as read only on the top level and any write permission be given at the run level.
This is necessary due to a behavior of github workflow to grant to GITHUB_TOKEN write permissions to all types of permissions, regardless of they being used or not. In case of the workflow getting compromised, an attacker can exploit this permissions.
Thus, it is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.
I'll soon submit a PR to show the changes I listed above. Please, feel free to reach me out in case of any doubts or concerns.
The text was updated successfully, but these errors were encountered:
Hi! I'm from GOSST (Google Open Source Security Team) team and I'd like to contribute to uuid to in order to improve its supply-chain security.
My suggestion here is basically set up the permissions to the github workflows as read only on the top level and any write permission be given at the run level.
This is necessary due to a behavior of github workflow to grant to GITHUB_TOKEN write permissions to all types of permissions, regardless of they being used or not. In case of the workflow getting compromised, an attacker can exploit this permissions.
Thus, it is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.
I'll soon submit a PR to show the changes I listed above. Please, feel free to reach me out in case of any doubts or concerns.
The text was updated successfully, but these errors were encountered: