You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, I'm from Google and I'm working with the OpenSSF to improve the supply chain security in many open source projects.
One possible (and quite simple) supply chain security change that can be adopted by jna is to set the permissions to GITHUB_TOKEN in order to limit the permission granted.
This is important because, by default, github grants all workflows write-all access which could be exploit by an attacker in case of a compromised workflow. Thus, it is a good practice recommended both by the OpenSSF Scorecard and the Github itself to always use credentials that are minimally scoped.
This means setting the top level permission as contents: read (usually enough to most actions) or even read-all, and grant any write permission at the job level
I will suggest a PR to this issue just to show what the change is about. Feel free to reach me out in case of questions or concerns about this.
The text was updated successfully, but these errors were encountered:
Hi, I'm from Google and I'm working with the OpenSSF to improve the supply chain security in many open source projects.
One possible (and quite simple) supply chain security change that can be adopted by jna is to set the permissions to GITHUB_TOKEN in order to limit the permission granted.
This is important because, by default, github grants all workflows write-all access which could be exploit by an attacker in case of a compromised workflow. Thus, it is a good practice recommended both by the OpenSSF Scorecard and the Github itself to always use credentials that are minimally scoped.
This means setting the top level permission as contents: read (usually enough to most actions) or even read-all, and grant any write permission at the job level
I will suggest a PR to this issue just to show what the change is about. Feel free to reach me out in case of questions or concerns about this.
The text was updated successfully, but these errors were encountered: