<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/126230>126230</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
[GitHub] Excessive top-level permissions in `libcxx-build-containers` workflow
</td>
</tr>
<tr>
<th>Labels</th>
<td>
new issue
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
AlexeySachkov
</td>
</tr>
</table>
<pre>
The workflow has a job-specific `packages: write` permissions to be able to push container images to a registry:
https://github.com/llvm/llvm-project/blob/98e118ca435d280ff1c3540eb5e9b4140b44a1b4/.github/workflows/libcxx-build-containers.yml#L28-L33
However, by some reason it also has top-level `packages: write` permissions as well:
https://github.com/llvm/llvm-project/blob/98e118ca435d280ff1c3540eb5e9b4140b44a1b4/.github/workflows/libcxx-build-containers.yml#L10-L12
That violates a principal of the least privilege and causes corresponding OpenSSF score go to zero: https://securityscorecards.dev/viewer/?uri=github.com/llvm/llvm-project
</pre>
<img width="1" height="1" alt="" src="http://email.email.llvm.org/o/eJzMk89uhDYQxp_GXEa7MsOfhQOHbVOaQ6QekhewzQBOvBh5DLvbp6-8adr0ULW9VUICMfD5m29-o5jttBB1ovpBVE-Z2uLsQ3d2dKP7qzLzh98z7Yd79zYTXH34GJ2_wqwYFLx7feCVjB2tAVHLVZkPNRGL4gzXYCOJWsJK4WKZrV8YogdNoLSj9LhuPIPxS1R2oQD2kv5NBQWBJssx3EVxFjJdc4xr0hXYC-wnG-dNH42_COyd279uhzX4dzJRYK-d1wL7tqE8b4wqi2rARo5jboqqlKQranWZl1KXpcp1KbA_fqoK7L_a5CRrtbndDnqzbjj8YZaP94sTWLxgc3gpik-Pz_5KOwWBP4K-A_sLQSDFfgEbQTn2j9iiXw-OdnL_KjHFcCXn_vc55PLwkuOnx7dZRditdypSwmQNdjF2VQ78CHEmcKQ4pte7dTQRqGUAozYmBuNDIF79Mthlgl9WWl5fe2DjA8HkExy_UvAprr8mwWS2YOP98aVRYeDjQLvAfrd0TTPpRdFvwYri6R9Dk-ds6IqhLVqVUZefiqbFuj2V2dxhM6KpSzkONdZNq4aK2nJo2rHESptTndkOJVYS5SnP8zovjzVKVCccazSF1LIRpaSLsu6Yjjz6MGWWeaMuxxoLmTmlyfFjGxEXusKjKhDTcobu4VNvE4tSOsuR_5SJNrrHGv9s4_OmRfUEP90MMdudvkH3HS67JAb_ZrKJxC8Asi247j-j97Ce2Pm9t73D3wIAAP__rq92sw">