-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Are read-all
permissions necessary?
#1461
Comments
It is likely a matter of convenience, with a dash of future proofing further updates. The answer is likely different for public vs. private repos as well, and it's something we haven't done a good job of documenting. GitHub has a handy auditing tool for determining least privilege for their REST API, but Scorecard uses the graphQL API which isn't supported by the monitor. At the very least, this past issue implies
But certain feature requests means new permissions may be used in the future, such as |
Thanks for the info. I'll see if the GUAC maintainers are interested in experimenting with me to see if we can identify a minimum level of permissions. If so, I'll contribute that knowledge upstream. |
It would be nice to either work with zizmor to tag this warning as inconsequential or fix this in the workflow. |
Strangely, I set the permissions to empty |
We've been running it on GUAC with a workflow-level |
I'm using zizmor to audit GUAC's GitHub workflows and the scorecard workflow reports excessive permissions:
I don't see anything in this action's docs that explain why
read-all
is necessary. Does the action require read access to all possible permissions or is that a convenience instead of enumerating the specific permissions required?If
read-all
is necessary, I'd be happy to submit a PR to add a mention in the docs.The text was updated successfully, but these errors were encountered: