Overview
Several repos regressed their Token-Permissions Scorecard score by using top-level write permissions in GitHub Actions workflows. This was found while doing research for #329.
This was originally fixed in #269, but new additions made us regress. The list of affected repos:
- helm-charts
- backlog
- custom-images
- kube-bind-provider
- example-httpbin-operator
- platform-mesh-operator
- upstream-images
- samples-opendesk-ocm-landscaper
This ticket should try to address two things:
- These regressions by properly defining permissions
- Implementing a mechanism to prevent future regressions
Implementation Details
- Ensure permissions are properly defined for workflows in the listed repos
- Implement a mechanism (in all repos) to prevent future regressions
Completion Checklist
Overview
Several repos regressed their
Token-PermissionsScorecard score by using top-level write permissions in GitHub Actions workflows. This was found while doing research for #329.This was originally fixed in #269, but new additions made us regress. The list of affected repos:
This ticket should try to address two things:
Implementation Details
Completion Checklist