Commit 1a5c33b
committed
Tighten GITHUB_TOKEN scope on bandit, codeql, publish, python workflows
OSSF Scorecard's token-permissions check was scoring 0. Default
GITHUB_TOKEN scope is write, so workflows that don't declare permissions
inherit too much. scorecard.yml was already locked down; the other four
weren't.
Top-level read-all on each, with the write bits scoped to the jobs that
actually need them:
- bandit.yml: analyze keeps security-events: write
- codeql.yml: analyze keeps security-events: write plus actions/contents: read
- publish.yml: publish keeps id-token: write for PyPI OIDC
- python.yml: build keeps pull-requests: write for the coverage comment1 parent b99c371 commit 1a5c33b
4 files changed
Lines changed: 8 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
10 | 10 | | |
11 | 11 | | |
12 | 12 | | |
| 13 | + | |
| 14 | + | |
13 | 15 | | |
14 | 16 | | |
15 | 17 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
8 | 8 | | |
9 | 9 | | |
10 | 10 | | |
| 11 | + | |
| 12 | + | |
11 | 13 | | |
12 | 14 | | |
13 | 15 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
| 7 | + | |
| 8 | + | |
7 | 9 | | |
8 | 10 | | |
9 | 11 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2 | 2 | | |
3 | 3 | | |
4 | 4 | | |
| 5 | + | |
| 6 | + | |
5 | 7 | | |
6 | 8 | | |
7 | 9 | | |
| |||
0 commit comments