[Octave-bug-tracker] [bug #62461] [GitHub] [Workflows] GITHUB_TOKEN with too much permissions

[anonymous]

URL:
  <https://savannah.gnu.org/bugs/?62461>

                 Summary: [GitHub] [Workflows] GITHUB_TOKEN with too much
permissions
                 Project: GNU Octave
            Submitted by: None
            Submitted on: Sat 14 May 2022 05:02:35 PM UTC
                Category: Test Suite
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: None
                  Status: None
             Assigned to: None
         Originator Name: 
        Originator Email: 
             Open/Closed: Open
                 Release: dev
         Discussion Lock: Any
        Operating System: Any

    _______________________________________________________

Details:

### Detailed Description

In the public repository on GitHub, the workflows have too many permissions,
this is, they have write access for nearly feature.  This should be considered
a serious security issue since it gives the workflow control over the entire
repository, including changing files as well as authoring and approving pull
requests.

Please consider to reduce the permissions you grant your workflows.

### Suggested Fix

In order to reduce the permissions of the workflow, just add the following
lines to the top level of its source file:

```
permissions:
  contents: read
```

This will set the permissions to read-only for the repository and discard all
further permissions, this is, the workflow will be not allowed anymore to
approve pull requests, for instance.

For more details, please take a look at the GitHub Documentation for this
feature: 
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions?azure-portal=true#permissions.





    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?62461>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/