Merge pull request #105 from marcransome/openssf-scorecard-remediations

Remediate OpenSSF Scorecard token-permissions
marcransome · Mar 10, 2024 · 49ef64a · 49ef64a
2 parents d96aa67 + dc69567
commit 49ef64a
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 3 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -9,13 +9,14 @@ on:
   schedule:
     - cron: '00 18 * * 1'
   workflow_dispatch:
+
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze
     runs-on: macos-latest
     permissions:
-      actions: read
-      contents: read
       security-events: write
     steps:
     - name: Checkout repository

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -3,6 +3,9 @@ on:
   pull_request:
     branches:
       - main
+
+permissions: read-all
+
 jobs:
   dependency-review:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/markdown-links.yml b/.github/workflows/markdown-links.yml
@@ -12,6 +12,9 @@ on:
   schedule:
     - cron: '0 18 * * 1'
   workflow_dispatch:
+
+permissions: read-all
+
 jobs:
   markdown-links:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml
@@ -6,7 +6,6 @@ on:
   push:
     branches: [ "main" ]
 
-# Declare default workflow permissions as read only
 permissions: read-all
 
 jobs:
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,7 +6,6 @@ on: @@
       push:
         branches: [ "main" ]
-    # Declare default workflow permissions as read only
     permissions: read-all
     jobs:
@@ Expand Down @@