You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
gabibguti opened this issue
Nov 13, 2023
· 0 comments
· May be fixed by #10062
Assignees
Labels
priority: p2Moderately-important priority. Fix may not be included in next release.type: feature request‘Nice-to-have’ improvement, new feature or different behavior or design.
Thanks for stopping by to let us know something could be better!
PLEASE READ: If you have a support contract with Google, please create an issue in the support console instead of filing on GitHub. This will ensure a timely response.
Is your feature request related to a problem? Please describe.
GitHub workflows are granted high permissions by default. Permissions that allow, for example, to delete your source code and publish releases. The permissions can be exploited by malicious actions run in the workflow or malicious PRs if run on pull_request_target.
priority: p2Moderately-important priority. Fix may not be included in next release.type: feature request‘Nice-to-have’ improvement, new feature or different behavior or design.
Thanks for stopping by to let us know something could be better!
PLEASE READ: If you have a support contract with Google, please create an issue in the support console instead of filing on GitHub. This will ensure a timely response.
Is your feature request related to a problem? Please describe.
GitHub workflows are granted high permissions by default. Permissions that allow, for example, to delete your source code and publish releases. The permissions can be exploited by malicious actions run in the workflow or malicious PRs if run on
pull_request_target
.Describe the solution you'd like
Set restricted permissions to run GitHub workflows or declare minimum permissions in the workflows.
e.g.
permissions: contents: read
for workflows that only need to doactions/checkout
.Describe alternatives you've considered
None.
Additional context
My name is Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes.
The text was updated successfully, but these errors were encountered: