You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, I work for Google and the OpenSSF to help open source projects to increase their supply-chain security.
One aspect of supply-chain security checked by the OpenSSF Scorecard and also strongly recommended by the GitHub Security is to always use credentials that are minimally scoped.
Thus, setting top level permissions to contents: read and all write permissions being granted on run level is a simple but important practice regarding GitHub Workflows.
I'll suggest a PR with the permissions changes so let me know if you have any doubts or concerns.
The text was updated successfully, but these errors were encountered:
Hi, I work for Google and the OpenSSF to help open source projects to increase their supply-chain security.
One aspect of supply-chain security checked by the OpenSSF Scorecard and also strongly recommended by the GitHub Security is to always use credentials that are minimally scoped.
Thus, setting top level permissions to
contents: readand all write permissions being granted on run level is a simple but important practice regarding GitHub Workflows.I'll suggest a PR with the permissions changes so let me know if you have any doubts or concerns.
The text was updated successfully, but these errors were encountered: