Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

release: shift permissions to job #161

Merged
merged 1 commit into from
Jul 27, 2023
Merged

Conversation

thepwagner
Copy link
Contributor

This should have no effective changes, but I think it will improve the OpenSSF Scorecard result.

Workflow level permissions are called "top level" permissions and are calculated around here: https://github.com/ossf/scorecard/blob/8779de9cd23ffe15b6fd398a2f125a3452f08170/checks/raw/permissions.go#L267
Write permissions at the top level seem to be discouraaged.

Individual workflows are inspected for actions that fingerprint - I think because our workflow includes actions/setup-go and goreleaser/goreleaser-action, it will be considered to require the contents: write and packages: write permissions. This is calculated around here - https://github.com/ossf/scorecard/blob/8779de9cd23ffe15b6fd398a2f125a3452f08170/checks/raw/permissions.go#L336-L351

TLDR: should not break anything, might boost scorecard by 0.1 📈

Related

@thepwagner thepwagner self-assigned this Jul 27, 2023
@thepwagner thepwagner requested review from a team and shane-lawrence and removed request for a team July 27, 2023 19:26
Copy link
Member

@shane-lawrence shane-lawrence left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like a noop in practice. 🚢

@thepwagner thepwagner merged commit 21afa2a into main Jul 27, 2023
5 checks passed
@thepwagner thepwagner deleted the release-permissions-to-job branch July 27, 2023 21:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants