[llvm] [Workflows] Improve GitHub Actions Security hardening (PR #117787)
Aiden Grossman via llvm-commits
llvm-commits at lists.llvm.org
Thu Nov 28 12:36:45 PST 2024
https://github.com/boomanaiden154 commented:
Attaching `persist-credentials` to the vast majority of jobs probably does nothing to tangibly improve security as we typically limit `GITHUB_TOKEN` to the `contents: read` permission, which means it shouldn't have access to anything that isn't publicly accessible. Blanket adding it might not be the worst idea, but should be done in a separate patch. I don't think we have any actions running on PRs that have more than read permissions where we use the workflow definition from the PR.
Is this static analyzer widely used anywhere? It doesn't seem to be wildly popular at the moment, and so far it seems to have generated more noise than anything else.
https://github.com/llvm/llvm-project/pull/117787
More information about the llvm-commits
mailing list