3da3d82320
Summary: This PR adds minimum token permissions for the GITHUB_TOKEN using https://github.com/step-security/secure-workflows. GitHub recommends defining minimum GITHUB_TOKEN permissions for securing GitHub Actions workflows - https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ - https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token - The Open Source Security Foundation (OpenSSF) [Scorecards](https://github.com/ossf/scorecard) treats not setting token permissions as a high-risk issue This project is part of the top 100 critical projects as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security. Signed-off-by: Varun Sharma <varunsh@stepsecurity.io> ## Changelog [General] [Security] - Add GitHub token permissions for workflows <!-- Help reviewers and the release process by writing your own changelog entry. For an example, see: https://github.com/facebook/react-native/wiki/Changelog --> Pull Request resolved: https://github.com/facebook/react-native/pull/34122 Test Plan: N/A Reviewed By: cipolleschi Differential Revision: D37597988 Pulled By: cortinico fbshipit-source-id: 2f45914e2202a7b5bf7fa60b019dd12cdcf31952 |
||
|---|---|---|
| .. | ||
| ISSUE_TEMPLATE | ||
| workflows | ||
| CODEOWNERS | ||
| ISSUE_TEMPLATE.md | ||
| PULL_REQUEST_TEMPLATE.md | ||
| SUPPORT.md | ||
| respond-to-issue-based-on-label.yml | ||