joycebrum opened a new issue, #1289: URL: https://github.com/apache/logging-log4j2/issues/1289
**Warning!** It is highly recommended to discuss feature requests in [the mailing lists](https://logging.apache.org/log4j/2.x/support.html) first. I'm talking on behalf of Google and the OpenSSF. There is a known issue of github workflow that it grants write permission to all workflows unless defined otherwise, thus, it is both a recommendation from [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) and the [Github](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions) to always use credentials that are minimally scoped. I've seen that almost all of logging-log4h2 workflows already has the permissions minimally scoped, except for codeql that, although it has the permissions set at the job, it has no top level permission defined. Just to guarantee that no job eventually added to the workflow will have undesirable write permissions, I'll send a suggestion setting the top level permission as none. Feel free to reach me out in case of any doubts or concerns. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
