Severity: Warning
Files: publish.yml, test.yml, build.yml, dotnet-reflection.yml, winget.yml
Description:
These workflows have no permissions: key, meaning they inherit the repository's default GITHUB_TOKEN permissions (typically read/write on contents). Per SLSA/OSSF best practice, all workflows should declare minimal permissions and elevate only where needed.
Suggested fix:
Add permissions: contents: read at the workflow level and grant additional scopes per-job only where required (e.g., contents: write for push-back jobs).
Severity: Warning
Files:
publish.yml,test.yml,build.yml,dotnet-reflection.yml,winget.ymlDescription:
These workflows have no
permissions:key, meaning they inherit the repository's defaultGITHUB_TOKENpermissions (typically read/write oncontents). Per SLSA/OSSF best practice, all workflows should declare minimal permissions and elevate only where needed.Suggested fix:
Add
permissions: contents: readat the workflow level and grant additional scopes per-job only where required (e.g.,contents: writefor push-back jobs).