diogoteles08 opened a new issue, #25641: URL: https://github.com/apache/beam/issues/25641
### What needs to happen? Hi! I'd like to suggest the addition of top-level minimal permissions on your workflows, as it would harden your security agains supply-chain attacks. I see that some of your workflows have well-defined job-level permissions (e.g. [assign_milestone.yml](https://github.com/apache/beam/blob/master/.github/workflows/assign_milestone.yml)), but others don't have them explicitly defined (e.g. some jobs on [build_wheels.yml](https://github.com/apache/beam/blob/master/.github/workflows/build_wheels.yml)), and the job's privileges would be determined by GitHub's defaults. If you set top-level minimal permissions on a workflow, they would be inherited by all jobs with unspecified permissions on that workflow, including newly created jobs. Setting minimum permissions for workflows is recommended by [GitHub itself](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) and also by other security tools, such as [Scorecards](https://github.com/ossf/scorecard) and [StepSecurity](https://github.com/step-security). I'd be happy to raise a PR with the changes if you agree. #### Context I'm Diogo and I work on Google's Open Source Security Team([GOSST](https://github.com/diogoteles08#about-gosst-ghost)) suggesting and implementing security changes on critical open source projects. ### Issue Priority Priority: 3 (nice-to-have improvement) ### Issue Components - [ ] Component: Python SDK - [ ] Component: Java SDK - [ ] Component: Go SDK - [ ] Component: Typescript SDK - [ ] Component: IO connector - [ ] Component: Beam examples - [ ] Component: Beam playground - [ ] Component: Beam katas - [ ] Component: Website - [ ] Component: Spark Runner - [ ] Component: Flink Runner - [ ] Component: Samza Runner - [ ] Component: Twister2 Runner - [ ] Component: Hazelcast Jet Runner - [ ] Component: Google Cloud Dataflow Runner -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
