You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "joycebrum (via GitHub)" <gi...@apache.org> on 2023/02/27 17:48:17 UTC

[I] Set permissions to codeql github workflow (logging-log4j2)

joycebrum opened a new issue, #1289:
URL: https://github.com/apache/logging-log4j2/issues/1289

   **Warning!**
   It is highly recommended to discuss feature requests in [the mailing lists](https://logging.apache.org/log4j/2.x/support.html) first.
   
   I'm talking on behalf of Google and the OpenSSF.
   
   There is a known issue of github workflow that it grants write permission to all workflows unless defined otherwise, thus, it is both a recommendation from [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) and the [Github](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions) to always use credentials that are minimally scoped.
   
   I've seen that almost all of logging-log4h2 workflows already has the permissions minimally scoped, except for codeql that, although it has the permissions set at the job, it has no top level permission defined. Just to guarantee that no job eventually added to the workflow will have undesirable write permissions, I'll send a suggestion setting the top level permission as none. 
   
   Feel free to reach me out in case of any doubts or concerns.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [I] Set permissions to codeql github workflow (logging-log4j2)

Posted by "vy (via GitHub)" <gi...@apache.org>.
vy closed issue #1289: Set permissions to codeql github workflow
URL: https://github.com/apache/logging-log4j2/issues/1289


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org