Scorecard repo fails at Token-Permissions with score 0

[laurentsimon]

We need to fix this. A cursory read of our workflows:

• Codeql -> contents:read, statuses: writeand possibly security-events: write
• Goreleaser -> contents:read
• Integration -> contents:read, pull-requests:write for this.
• Main -> contents:read, status:write for license part.
• Ok-to-test -> ?
• Stale -> contents:read and issues:write and pull-requests:write
• Verify -> contents:read and statuses:write

We can define permission: to set all permissions to none at the start of the workflows, and then set what we want in each runs. It's fine to set contents:read at the start of workflows, if this helps.

See https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ for more info

[laurentsimon]

@naveensrinivasan , can you handle it?

[laurentsimon]

As we fix this, let's keep a record to explain the permissions we need. Everyone struggles with GitHub permissions AFAIK

[naveensrinivasan]

I will take this.

[naveensrinivasan]

As we fix this, let's keep a record to explain the permissions we need. Everyone struggles with GitHub permissions AFAIK

It would be great to have a tool that will produce the actual permissions needed for these actions.

[azeemshaikh38]

Can we close this issue now? @laurentsimon @naveensrinivasan

[laurentsimon]

yes. Scorecard still gives a score of 0 but it's a bug. Will create an issue for tracking #1400