You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thanks for stopping by to let us know something could be better!
PLEASE READ: If you have a support contract with Google, please create an issue in the support console instead of filing on GitHub. This will ensure a timely response.
Is your feature request related to a problem? Please describe.
GitHub workflows are granted high permissions by default. Permissions that allow, for example, to delete your source code and publish releases. The permissions can be exploited by malicious actions run in the workflow or malicious PRs if run on pull_request_target. This is specially important when using 3P actions such as:
Thanks for stopping by to let us know something could be better!
PLEASE READ: If you have a support contract with Google, please create an issue in the support console instead of filing on GitHub. This will ensure a timely response.
Is your feature request related to a problem? Please describe.
GitHub workflows are granted high permissions by default. Permissions that allow, for example, to delete your source code and publish releases. The permissions can be exploited by malicious actions run in the workflow or malicious PRs if run on
pull_request_target. This is specially important when using 3P actions such as:google-http-java-client/.github/workflows/ci-java7.yaml
Line 42 in 1acedf7
Describe the solution you'd like
Set restricted permissions to run GitHub workflows or declare minimum permissions in the workflows.
e.g.
permissions: contents: readfor workflows that only need to doactions/checkout.Describe alternatives you've considered
None.
Additional context
My name is Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes.
The text was updated successfully, but these errors were encountered: