<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/60750>60750</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            Feat: Add Top Level Token Permissions to GitHub Workflows
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          joycebrum
      </td>
    </tr>
</table>

<pre>
    ### Description

Hi, I work on behalf of the Google and the OpenSSF to help Open Source Projects to improve their Supply Chain Security.

Looking into some potential security improvements [Scorecard tool](https://github.com/ossf/scorecard) suggest, I saw that the top level permissions are not set on the project's github action workflows, so all write permissions are given ([Token-Permissions Check explanation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions).

There are some risks involving having too much permissive workflows, such as 

- `statuses` - May allow an attacker to change the result of pre-submit checks and get a PR merged.
- `checks` - May allow an attacker to remove pre-submit checks and introduce a bug.
- `security-events` - May allow an attacker to read vulnerability reports before a patch is available. Should only be granted to recognized actions for uploading SARIF results.
- `deployments` - May allow an attacker to charge repo owner by triggering VM runs, and tiny chance an attacker can trigger a remote service with code they own if server accepts code/location variables unsanitized.
- `contents` - Allows an attacker to commit unreviewed code. Should only be granted to recognized packaging actions or commands.
- `packages` - Allows an attacker to publish packages. Should only be granted to recognized packaging actions or commands.
- `actions` - May allow an attacker to steal GitHub secrets by approving to run an action that needs approval.


If it is ok for you, let me know and I'll suggest a PR with the top level permissions set and all run level permission configured as needed.

### Additional Content
[About Permissions on GHA](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions)
`Use credentials that are minimally scoped` at [GitHub Security Guides](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-secrets)
[GitHub Security Guides - Restricting Permissions for Tokens](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#restricting-permissions-for-tokens)

</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJy8Vttu4zYQ_Rr6ZWBDpi9JHvzgJFA2wC66WG_bZ4ocS1xTHIFD2et-fUHKTuy9tygKBHJsDudyzuGhFLOtPeJKLO7F4nGk-thQWH2io8Yq9O2oInNcCTkb_uARWQfbRUteFI-iWA_PN1bIB3iGA4UdkIcKG-W2QFuIDcITUe0QlDf5628d-s2mhEjQoOvyd9hQHzTC-0CfUEdOi7btAu0x7bEBNn3XuSM8NMp62KDug43HyWUTb4l21tdgfSRgahE6iuijVQ74tOGctEUfGcTifqMpoFbBQCRyYvEo5G0TY8dithayFLKsbWz6aqKpFbIk5q2QJZ93CXkH3Nc1chwQYHWA2KiYJ43UgcM9OugwtJbZkmdQAcFTBMaYsEqB3TC2kDcMQz1QOoGcEd06OnBKzwTKOTgEG_GrlLXdowchb8Xi_iPt0I_fX0Q8NKh3gJ87p7zK9P3zUcvKUSVk2SrrhSwNaRay1CkzT1oj5CzmuhedCXl3xdHHBgPmdjNBwfKOwfo9uX2irlH5IxJB2-vmZcY9fgFEWlQMl6nHIJYFRxV7RhbLAsbwTh0TYHQA5UHFqPQOQ5KWbpSvs7IgIPcuJql2AcfcV62NMMyUFVtjBAXvP0CLoUYzuSg2RP2kVMA2ifjbya2PgUyvERRUfX2Z_KzYMe6TVn9aRRnY985jUJV1SekBOwqRocItJcyhU1E3YBnUXlmnKocT2DTUOwPk3REqhDooH9EMGTXV3v6F5iRFhi0F6DtHyiSSNusPz-UJPr7s3GDn6Nj-Qte6UaHG3CnQwWOA6ggx2LrGkEr88Q5C7zPj2TysP2bqEl4XmbTy512gMuARgTHsrUY42NiAJpPZPqYyYLd5NUVrjV3kvC5k6UjnswF7FWwCiKH3rLyNCYcr6snH1wHXaTj-ajpqE929D7i3eECTy_wi5p3SO1UnEM7oU8gZlTdXaA-B-MNOur5ylhs4x_7XPZyWf8I2R1QOnmx801fJkAMmdR5BdcmSh3Of-M77BvfLTuoRDZ-ilLuyk-H5vAUbk7BplzV6pD5JxmGEFmHncysGnoW8ce5s18Ohzur4vlUni05bk-umzr6MAE1-a-s-pFPCudMXnZyeL1fn2hibhlIOHgb1nCIW9-uK-giXdk0ent6sv-XRyXUnV0aNyYzPFMiyZ-vr8YVdluf_x3z0UX0ebymMhwzjl22za9M-tbYsfmcEHdAM9ygPjCT_bq23rXLuCKypQ5PIVzFdqSeGz3c0PPXWIP-rWV5MsB5yXPzSqGDQp1G_Oc6AwkllrwN9rzsYwwfkGKyOSYiXVCRF5fv0_x4hvDZ0eaXm4Dg0dJ5rZFYzcze7UyNcTZc3y3khbws5alZaz4upnstiOpW3t0tl5marbmYGt3e4nGE1sitZyFkhp_PpnVzO5cTcLIrtVN_NbnSF0xmKeYGtsm7i3L6dUKhHlrnH1bK4WRQjpyp0nN8epfR4gLwopEwvk2GV9oyrvmYxL5zlyK9Zoo0OVyWqKGbrdDjgI3XwNh-wDPcVCZHOxvHnWdijPrjVD95fUqXTx_jl_arM_SUWcv9_BwAA__9xEclK">