docs: add security recommendations for SHA pinning and permissions#172
Open
chad-loder wants to merge 1 commit intofreckle:mainfrom
Open
docs: add security recommendations for SHA pinning and permissions#172chad-loder wants to merge 1 commit intofreckle:mainfrom
chad-loder wants to merge 1 commit intofreckle:mainfrom
Conversation
z0isch
requested review from
a team and
joris974
and removed request for
a team and
z0isch
joris974
reviewed
Mar 20, 2025
| Restrict the workflow permissions to only what is needed: | ||
|
|
||
| ```yaml | ||
| permissions: |
Member
There was a problem hiding this comment.
Great call. Please feel free to include these permissions restrictions in the template in the Usage section of this README. Thank you
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds a new 'Security Recommendations' section to the README that covers two important security best practices: 1) SHA Pinning - Using full commit SHAs instead of version tags to protect against supply chain attacks; 2) Minimal Permissions - Restricting workflow permissions to only what's necessary.