ci: add minimum GitHub token permissions for workflow #78

ashishkurmi · 2022-10-02T21:30:50Z

This PR adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using secure-workflows.

The GitHub Actions workflow has a GITHUB_TOKEN with write access to multiple scopes. Here is an example of the permissions in one of the workflow runs:
https://github.com/qt/qtbase/actions/runs/3168920282/jobs/5160466776#step:1:19

After this change, the scopes will be reduced to the minimum needed for the following workflow:

This is a security best practice, so if the GITHUB_TOKEN is compromised due to a vulnerability or compromised Action, the damage will be reduced.
GitHub recommends defining minimum GITHUB_TOKEN permissions.
The Open Source Security Foundation (OpenSSF) Scorecards also treats not setting token permissions as a high-risk issue. This change will help increase the Scorecard score for this repository.

Signed-off-by: Ashish Kurmi [email protected]

Signed-off-by: Ashish Kurmi <[email protected]>

jonaski · 2022-10-25T17:50:23Z

ci: add minimum GitHub token permissions for workflow

45cf144

Signed-off-by: Ashish Kurmi <[email protected]>

ashishkurmi mentioned this pull request Oct 2, 2022

Fix token permissions for 100 critical open-source projects step-security/secure-repo#462

Open

Provide feedback