Set minimum permissions for workflows #10055
Assignees
Labels
priority: p2
Moderately-important priority. Fix may not be included in next release.
type: feature request
‘Nice-to-have’ improvement, new feature or different behavior or design.
Comments
JoeWang1127
added
type: feature request
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for stopping by to let us know something could be better!
PLEASE READ: If you have a support contract with Google, please create an issue in the support console instead of filing on GitHub. This will ensure a timely response.
Is your feature request related to a problem? Please describe.
GitHub workflows are granted high permissions by default. Permissions that allow, for example, to delete your source code and publish releases. The permissions can be exploited by malicious actions run in the workflow or malicious PRs if run on
pull_request_target.Describe the solution you'd like
Set restricted permissions to run GitHub workflows or declare minimum permissions in the workflows.
e.g.
permissions: contents: readfor workflows that only need to doactions/checkout.Describe alternatives you've considered
None.
Additional context
My name is Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes.
The text was updated successfully, but these errors were encountered: