CI: Set minimal permissions to GitHub Workflow #993
Comments
|
That's fine, however note that we do configure all repos so GitHub Actions has read-only access: 
|
|
Oh that's great! Yes, it should be enough. It's arguable that having the explicit permissions on the files is clearer, but feel free to ignore and close my issues, if you prefer. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi!
I'm Diogo and I work at the same Google's team that Joyce, who raised #854.
I'm here to suggest that you set minimal permissions to your GitHub Workflow security-audit.yml, because currently it doesn't specify the permissions for their jobs and their privileges are being determined by GitHub's defaults. If you define minimal permissions, you would be secured against erroneous or malicious behaviours from external jobs you call from your workflow. It's specially important for the case they get compromised, for example.
Since it's a very simple change, I'll raise a PR following this issue and it'll be easier to evaluate the modifications =)
The text was updated successfully, but these errors were encountered: