Skip to content

Commit 1a5c33b

Browse files
committed
Tighten GITHUB_TOKEN scope on bandit, codeql, publish, python workflows
OSSF Scorecard's token-permissions check was scoring 0. Default GITHUB_TOKEN scope is write, so workflows that don't declare permissions inherit too much. scorecard.yml was already locked down; the other four weren't. Top-level read-all on each, with the write bits scoped to the jobs that actually need them: - bandit.yml: analyze keeps security-events: write - codeql.yml: analyze keeps security-events: write plus actions/contents: read - publish.yml: publish keeps id-token: write for PyPI OIDC - python.yml: build keeps pull-requests: write for the coverage comment
1 parent b99c371 commit 1a5c33b

4 files changed

Lines changed: 8 additions & 0 deletions

File tree

.github/workflows/bandit.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@ on:
1010
- cron: "0 0 * * 0"
1111
workflow_dispatch:
1212

13+
permissions: read-all
14+
1315
jobs:
1416
analyze:
1517
runs-on: ubuntu-latest

.github/workflows/codeql.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,8 @@ on:
88
schedule:
99
- cron: "0 0 * * 0"
1010

11+
permissions: read-all
12+
1113
jobs:
1214
analyze:
1315
name: Analyze Python

.github/workflows/publish.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@ on:
44
release:
55
types: [published]
66

7+
permissions: read-all
8+
79
jobs:
810
build:
911
runs-on: ubuntu-latest

.github/workflows/python.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@ name: Python CI
22

33
on: [push, pull_request]
44

5+
permissions: read-all
6+
57
jobs:
68
build:
79
permissions:

0 commit comments

Comments
 (0)