mirror of
https://github.com/theupdateframework/python-tuf
synced 2026-05-24 10:08:28 +00:00
f005825955
These workflows have no real security relevance (runtime build or test) in the sense that a compromise in the dependencies could compromise python-tuf security: * scorecards * dependency-review * codeql-analysis Stop pinning the actions used in them (except the common actions that are used everyewhere like actions/checkout: use the same version of those everywhere). The benefit here is fewer Dependabot PRs: If we had done this from the start we'd have skipped ~70 PRs by now. The interesting permissions used in these workflows are * security-events: write This can add things onto the "Security" tab in GitHub * id-token: write This allows OIDC authentication, but only as this specific workflow These permissions look completely acceptable to me. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com> |
||
|---|---|---|
| .. | ||
| workflows | ||
| dependabot.yml | ||
| ISSUE_TEMPLATE.md | ||
| PULL_REQUEST_TEMPLATE.md | ||