Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛 Forgive job-level permissions #3162

Merged
merged 12 commits into from
Jul 14, 2023
5 changes: 5 additions & 0 deletions docs/checks.md
Original file line number Diff line number Diff line change
Expand Up @@ -630,6 +630,11 @@ One point is reduced from the score if all jobs have their permissions defined b
This configuration is secure, but there is a chance that when a new job is added to the workflow, its job permissions could be
left undefined because of human error.

Though a project's score won't be penalized, the check's details will include
warnings for all run-level permissions. This compromise makes it clear the
maintainer has done what's possible to use those permissions safety, but allows
users to identify that the permissions are used.

The check cannot detect if the "read-only" GitHub permission setting is
enabled, as there is no API available.

Expand Down
5 changes: 5 additions & 0 deletions docs/checks/internal/checks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -670,6 +670,11 @@ checks:
This configuration is secure, but there is a chance that when a new job is added to the workflow, its job permissions could be
left undefined because of human error.

Though a project's score won't be penalized, the check's details will include
warnings for all run-level permissions. This compromise makes it clear the
spencerschrock marked this conversation as resolved.
Show resolved Hide resolved
maintainer has done what's possible to use those permissions safety, but allows
users to identify that the permissions are used.

The check cannot detect if the "read-only" GitHub permission setting is
enabled, as there is no API available.

Expand Down