[Octave-bug-tracker] [bug #62461] [GitHub] [Workflows] GITHUB

octave-bug-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Octave-bug-tracker] [bug #62461] [GitHub] [Workflows] GITHUB_TOKEN with

From:	Markus Mützel
Subject:	[Octave-bug-tracker] [bug #62461] [GitHub] [Workflows] GITHUB_TOKEN with too much permissions
Date:	Mon, 16 May 2022 05:14:11 -0400 (EDT)

Follow-up Comment #1, bug #62461 (project octave):

Thanks for your report.

I guess you are referring to the read-only mirror of Octave on GitHub here:
https://github.com/gnu-octave/octave

I'm trying to come up with a scenario where the permissions of GITHUB_TOKEN
could actually become an issue. Could you please elaborate?

Anyway, restricting the permissions per workflow file would probably not hurt.
But if a malicious party gained access to triggering a (modified) workflow
run, they could probably also change the permissions in those files to
anything they'd like anyway...


    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?62461>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[Octave-bug-tracker] [bug #62461] [GitHub] [Workflows] GITHUB_TOKEN with too much permissions, anonymous, 2022/05/14
- [Octave-bug-tracker] [bug #62461] [GitHub] [Workflows] GITHUB_TOKEN with too much permissions, Markus Mützel <=

Prev by Date: [Octave-bug-tracker] [bug #62470] plot: Numeric scalars are no longer recognized as line format identifiers
Next by Date: [Octave-bug-tracker] [bug #62271] GUI crashes and clears function files on closing (Windows)
Previous by thread: [Octave-bug-tracker] [bug #62461] [GitHub] [Workflows] GITHUB_TOKEN with too much permissions
Next by thread: [Octave-bug-tracker] [bug #62462] [GitHub] Please apply the CFF standard to your CITATION file
Index(es):
- Date
- Thread