Last 12 weeks · 0 commits
4 of 6 standards met
I work on software supply chain security and have been hardening GitHub Actions workflows across OSS projects. Each of these workflows runs without a top-level block, so its inherits the repository (or org) default, which is frequently read/write for all scopes. This PR sets at the workflow level for , which is all these jobs need (checkout plus the build/test steps). Scoping the token to read-only shrinks what a compromised step or dependency can do, a concern made concrete by the March 2025 compromise (CVE-2025-30066), where a leaked write-scoped was the blast radius. No job behavior changes; the steps already only read the repository.
Repository: vitejs/vite-benchmark. Description: Benchmark tool for vitejs/vite Stars: 78, Forks: 8. Primary language: JavaScript. Languages: JavaScript (93.8%), TypeScript (5.6%), CSS (0.4%), HTML (0.2%). License: MIT. Open PRs: 2, open issues: 1. Last activity: 3y ago. Community health: 75%. Top contributors: fi3ework, bluwy, antfu, renovate[bot].