[llvm-bugs] [Bug 126230] [GitHub] Excessive top-level permissions in `libcxx-build-containers` workflow

LLVM Bugs via llvm-bugs Fri, 07 Feb 2025 03:16:27 -0800

Issue	126230
Summary	[GitHub] Excessive top-level permissions in `libcxx-build-containers` workflow
Labels	new issue
Assignees
Reporter	AlexeySachkov

    The workflow has a job-specific `packages: write` permissions to be able to push container images to a registry:


https://github.com/llvm/llvm-project/blob/98e118ca435d280ff1c3540eb5e9b4140b44a1b4/.github/workflows/libcxx-build-containers.yml#L28-L33

However, by some reason it also has top-level `packages: write` permissions as well:

https://github.com/llvm/llvm-project/blob/98e118ca435d280ff1c3540eb5e9b4140b44a1b4/.github/workflows/libcxx-build-containers.yml#L10-L12

That violates a principal of the least privilege and causes corresponding OpenSSF score go to zero: https://securityscorecards.dev/viewer/?uri=github.com/llvm/llvm-project

_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

[llvm-bugs] [Bug 126230] [GitHub] Excessive top-level permissions in `libcxx-build-containers` workflow

Reply via email to