Open
Description
This will allow us to change the default GITHUB_TOKEN permissions to read only for all repositories:
Workflow permissions
Choose the default permissions granted to the GITHUB_TOKEN when running workflows in this repository. You can specify more granular permissions in the workflow using YAML. Learn more about managing permissions.
- Read and write permissions
Workflows have read and write permissions in the repository for all scopes.- Read repository contents and packages permissions
Workflows have read permissions in the repository for the contents and packages scopes only.
It will also improve our OSSF Scorecard Token-Permissions scores.
Using some incredibly hacky Copilot instructions (that I'm embarrassed to post), I have semi-automated this.
Maintainers and approvers: please check these PRs carefully and watch out for any permission-related workflow failures after merging them.
Metadata
Metadata
Assignees
Labels
No labels