[GitHub] [commons-io] aherbert commented on pull request #351: chore: Set permissions for GitHub actions

[GitBox <gi...@apache.org>]

aherbert commented on PR #351:
URL: https://github.com/apache/commons-io/pull/351#issuecomment-1111071557

   I am trying to find out if this is a security issue on our repos.
   
   The GH actions run using the permissions granted to the  `GITHUB_TOKEN`. See [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).
   
   The default permissions are set at the enterprise, organization, or repository level. The question is how do we find out if Apache has set this to `permissive` or `restricted` across all the Commons repos? It requires admin permissions on the Github repo so may have to be done by INFRA. If it is set as `restricted` then this is a non-issue as the defaults are read on contents and metadata and nothing else.
   
   This is only an issue if the default access is set to `permissive` across our repos.
   
   Note that it does not do any harm to set it for all the workflows as this is the mechanism used to change the permissions from the default. Explicitly setting it in the workflow yaml makes it clear that the intention is a read-only build of the repo contents.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org