Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reduce scorecard workflow permissions scope #2326

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

robert-cronin
Copy link
Contributor

Description of the PR

Fixes #2275

PR Checklist

  • All commits have a Developer Certificate of Origin (DCO) -- they are generated using -s flag to git commit.
  • All new changes are covered by tests
  • If GraphQL schema is changed, make generate has been run
  • If GraphQL schema is changed, GraphQL client updates/additions have been made
  • If OpenAPI spec is changed, make generate has been run
  • If ent schema is changed, make generate has been run
  • If collectsub protobuf has been changed, make proto has been run
  • All CI checks are passing (tests and formatting)
  • All dependent PRs have already been merged

@robert-cronin
Copy link
Contributor Author

I did try with the id-token: write permission set but it seems that the Scorecard API has some checks to ensure the integrity of the data, including default branch check:

https://github.com/robert-cronin/guac/actions/runs/12076752606/job/33678574053
https://github.com/ossf/scorecard-action?tab=readme-ov-file#workflow-restrictions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

zizmor audit for scorecard workflow
1 participant