Use read-only permissions in the continuous_integration.yml workflow #1579
Description
Almost all of keras-io's workflows run with safe permissions. However, continuous_integration.yml is currently running with the default write-all token.
This issue can be solved in two ways:
- add top-level read-only permissions to the workflow; and/or
- set the default token permissions to read-only in the repo settings.
I'll be sending a PR along with this issue that sets the top-level permissions. If you instead (or also) wish to modify the default token permissions:
- Open the repo settings
- Go to Actions > General
- Under "Workflow permissions", set them to "Read repository contents and packages permissions"
This setting can also be set at the org level to protect all of keras-team's repositories. However, this may break workflows in other repos that are currently implicitly relying on the write-all token.
Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.
I'm also working on some of the other keras-team repos to fix similar issues there (keras-team/keras-core#882, keras-team/keras-cv#2075, keras-team/keras-tuner#930, with more to come!).