[GitHub] [commons-lang] varunsh-coder opened a new pull request, #894: ci: Add GitHub token permissions for workflows

[GitBox <gi...@apache.org>]

varunsh-coder opened a new pull request, #894:
URL: https://github.com/apache/commons-lang/pull/894

   GitHub asks developers to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.
   
   The Open Source Security Foundation (OpenSSF) [Scorecards](https://github.com/ossf/scorecard) also treats not setting token permissions as a high-risk issue. 
   
   This PR adds minimum token permissions for the GITHUB_TOKEN using https://github.com/step-security/secure-workflows. 
   
   This project is part of the top 100 critical projects as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [commons-lang] kinow merged pull request #894: ci: Add GitHub token permissions for workflows

[GitBox <gi...@apache.org>]

kinow merged PR #894:
URL: https://github.com/apache/commons-lang/pull/894


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org