-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unsure of solution for fixing "contents: write" security recommendation #1867
Comments
I believe this is because What is the recommended best practice in this case? find a more limited permission? |
do you need these permissions to write to the GitHub pages using peaceiris/actions-gh-pages? Which API is it using? I think it may be worth asking GitHub for a more granular permission for this, because pushing docs is less scary than pushing to source code. Well, docs can trick users into running arbitrary commands.. but it's not very stealthy if this is the public doc. In this case you probably have no way around it and I would dismiss the alert. What we could do it tweak the messaging and say "if you need to write to GH pages, you can dismiss the alert"...? /cc @olivekl any thoughts to make the messaging more general without encouraging users to dismiss all alerts? |
To answer your first question: yes, |
|
Is your feature request related to a problem? Please describe.
Hello! We are seeing the scorecard recommendation in the image under "Additional context". You can find the line we are getting the recommendation for here. The scorecard recommendation ID is
TokenPermissionsID
.Describe the solution you'd like
The remediation for this scorecard recommendation currently tells us to set permissions to
read-all
, although we already have permissions set toread-all
in this file. I believe we have implemented the solution that is being recommended, so it seems like the remediation might be misleading, unless I'm mistaken. Is there an additional change that should be made in this configuration?Additional context
The text was updated successfully, but these errors were encountered: