Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

zizmor audit for scorecard workflow #2275

Open
funnelfiasco opened this issue Nov 7, 2024 · 2 comments
Open

zizmor audit for scorecard workflow #2275

funnelfiasco opened this issue Nov 7, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@funnelfiasco
Copy link
Contributor 

🌈 completed scorecard.yml
warning[excessive-permissions]: overly broad workflow or job-level permissions
  --> .github/workflows/scorecard.yml:18:1
   |
18 | permissions: read-all
   | --------------------- uses read-all permissions
   |
   = note: audit confidence → High

1 findings (0 ignored): 0 unknown, 0 informational, 0 low, 1 medium, 0 high
@funnelfiasco funnelfiasco added the bug Something isn't working label Nov 7, 2024
@funnelfiasco
Copy link
Contributor Author

It's not clear if read-all is truly necessary here or not. I opened ossf/scorecard-action#1461 to ask about it.

@funnelfiasco
Copy link
Contributor Author

Seems that read-all isn't necessary, but a matter of convenience. We may want to do some testing to see how much we can restrict that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@funnelfiasco