ci: add minimum GitHub token permissions for workflow by ashishkurmi · Pull Request #2154 · sindresorhus/got (original) (raw)

This PR adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using secure-workflows.

The GitHub Actions workflow has a GITHUB_TOKEN with write access to multiple scopes. Here is an example of the permissions in one of the workflow runs:
https://github.com/sindresorhus/got/actions/runs/3133673346/jobs/5087313689#step:1:19

After this change, the scopes will be reduced to the minimum needed for the following workflow:

This is a security best practice, so if the GITHUB_TOKEN is compromised due to a vulnerability or compromised Action, the damage will be reduced.
GitHub recommends defining minimum GITHUB_TOKEN permissions.
The Open Source Security Foundation (OpenSSF) Scorecards also treats not setting token permissions as a high-risk issue. This change will help increase the Scorecard score for this repository.

Signed-off-by: Ashish Kurmi akurmi@stepsecurity.io