ci: Add GitHub token permissions for workflows

[varunsh-coder]

This PR adds minimum token permissions for the GITHUB_TOKEN using https://github.com/step-security/secure-workflows.

GitHub recommends defining minimum GITHUB_TOKEN permissions for securing GitHub Actions workflows

• https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
• https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
• The Open Source Security Foundation (OpenSSF) Scorecards treats not setting token permissions as a high-risk issue

This project is part of the top 100 critical projects as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security.

Signed-off-by: Varun Sharma [email protected]

Important: Do not tick a checkbox if you haven’t performed its action. Honesty is indispensable for a smooth review process.

In the following questions <cask> is the token of the cask you're submitting.

After making all changes to a cask, verify:

• The submission is for a stable version or documented exception.
• brew audit --cask --online <cask> is error-free.
• brew style --fix <cask> reports no offenses.

Additionally, if adding a new cask:

• Named the cask according to the token reference.
• Checked the cask was not already refused.
• Checked the cask is submitted to the correct repo.
• brew audit --new-cask <cask> worked successfully.
• brew install --cask <cask> worked successfully.
• brew uninstall --cask <cask> worked successfully.

[Bo98]

Change in general looks good (you can probably get away with metadata-only in some cases but there's nothing exactly secret about contents in a public repo anyway).

Can you please however submit the PR to https://github.com/Homebrew/homebrew-cask instead? It will auto-sync here when merged.

[varunsh-coder]

Change in general looks good (you can probably get away with metadata-only in some cases but there's nothing exactly secret about contents in a public repo anyway).

Can you please however submit the PR to https://github.com/Homebrew/homebrew-cask instead? It will auto-sync here when merged.

ok, I will submit the PR to https://github.com/Homebrew/homebrew-cask

[carlocab]

ok, I will submit the PR to https://github.com/Homebrew/homebrew-cask

Thanks! Btw, your list of 100 critical projects should probably be referencing homebrew-cask and not homebrew-cask-versions (this repo).

[varunsh-coder]

Created PR at Homebrew/homebrew-cask#127104

[varunsh-coder]

ok, I will submit the PR to https://github.com/Homebrew/homebrew-cask

Thanks! Btw, your list of 100 critical projects should probably be referencing homebrew-cask and not homebrew-cask-versions (this repo).

I can pass on the message to the OSSF Securing Critical Projects working group. I took the spreadsheet of top critical projects from there. https://github.com/ossf/wg-securing-critical-projects

How should I explain it to them? Is homebrew-cask-versions updated automatically based on changes to homebrew-cask?

[carlocab]

I can pass on the message to the OSSF Securing Critical Projects working group. I took the spreadsheet of top critical projects from there. https://github.com/ossf/wg-securing-critical-projects

How should I explain it to them? Is homebrew-cask-versions updated automatically based on changes to homebrew-cask?

I think that is a mistake. homebrew-cask seems to be included based on the criticality score computed from here. If you look at the OSSF list of projects with high criticality scores, you'll see that they correctly reference homebrew-cask and not homebrew-cask-versions.

Also, if you compute the current criticality scores, homebrew-cask has a much higher score than homebrew-cask-versions. This makes sense, since -versions is essentially just a derivative of the main repository.

[Bo98]

Is homebrew-cask-versions updated automatically based on changes to homebrew-cask?

No. Only CI, documentation, issue templates etc.