-
Notifications
You must be signed in to change notification settings - Fork 118
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(OSSF): update token permissions to improve ossf scorecard #763
base: main
Are you sure you want to change the base?
Conversation
✅ Deploy Preview for endearing-brigadeiros-63f9d0 canceled.
|
@JamieSlome I am a citi Employee, I Sent an authorization request as a Corporate Contributor for EasyCLA. Can you please approve it? |
@laukik-target - great PR ❤️ Can you re-open using commits created with your Citi e-mail address? |
I guess, It is good to merge now. |
@JamieSlome Changes were done. Requesting for re-review & approval. |
@JamieSlome Can you please re-review and approve the PR |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #763 +/- ##
=======================================
Coverage 63.11% 63.11%
=======================================
Files 47 47
Lines 1681 1681
=======================================
Hits 1061 1061
Misses 620 620 ☔ View full report in Codecov by Sentry. |
@laukik-target - are we able to re-base all of your 10 commits to use your Citi e-mail address instead? All 10 commits should use your public Citi e-mail address instead of the current Gmail address 👍 Let me know if you need help on how to do this. |
3be9c3c
to
974459d
Compare
@JamieSlome I squashed my commit to single one for clear understanding. Please help |
@JamieSlome |
fix: update npm start script to run locally revert changes for npm start and remove packages write permission
@JamieSlome Can you please merge this PR |
Description:
This PR aims to improve the repository's security posture by adhering to the principle of least privilege and enhancing the OSSF Scorecard score. The following changes have been made to reduce excessive permissions in GitHub Actions workflows and ensure a more secure CI/CD pipeline.
A small fix related to bringing up the git proxy locally is also fixed.
Issue: Bump OSSF score above 9.0 ⬆️
Should improve this score:
Changes:
1. Updated token permissions: Scoped permissions at both the top-level and job level for workflows such as:
2. Enhanced security:
3. Improved OSSF Scorecard rating:
Benefits:
Checklist:
✅Updated workflows with restrictive token permissions.
✅Addressed OSSF Scorecard recommendations for token permissions.