You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Scorecard reports the below findings. If the report is accurate, the token permissions need to be reduced to the minimal.
"reason": "detected GitHub workflow tokens with excessive permissions",
"details": [
"Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yaml:31",
"Info: topLevel 'contents' permission set to 'read': .github/workflows/db-performance-test.yaml:27",
"Warn: no topLevel permission defined: .github/workflows/nightly-release.yaml:1",
"Info: topLevel 'contents' permission set to 'read': .github/workflows/postmerge.yaml:20",
"Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yaml:27",
"Warn: topLevel 'packages' permission set to 'write': .github/workflows/release.yaml:28",
"Info: topLevel 'actions' permission set to 'read': .github/workflows/release.yaml:26",
"Warn: no topLevel permission defined: .github/workflows/reusable-local-build.yaml:1",
"Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:18",
"Info: no jobLevel write permissions found"
],
Describe the solution you'd like
Talked to Michael and he said he can apply the solution that he used before to GUAC.
Is your feature request related to a problem? Please describe.
Scorecard reports the below findings. If the report is accurate, the token permissions need to be reduced to the minimal.
"reason": "detected GitHub workflow tokens with excessive permissions",
"details": [
"Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yaml:31",
"Info: topLevel 'contents' permission set to 'read': .github/workflows/db-performance-test.yaml:27",
"Warn: no topLevel permission defined: .github/workflows/nightly-release.yaml:1",
"Info: topLevel 'contents' permission set to 'read': .github/workflows/postmerge.yaml:20",
"Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yaml:27",
"Warn: topLevel 'packages' permission set to 'write': .github/workflows/release.yaml:28",
"Info: topLevel 'actions' permission set to 'read': .github/workflows/release.yaml:26",
"Warn: no topLevel permission defined: .github/workflows/reusable-local-build.yaml:1",
"Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:18",
"Info: no jobLevel write permissions found"
],
Describe the solution you'd like
Talked to Michael and he said he can apply the solution that he used before to GUAC.
Describe alternatives you've considered
N/A
Additional context
https://api.securityscorecards.dev/projects/github.com/guacsec/guac
The text was updated successfully, but these errors were encountered: