Set up permissions to build.yml

[joycebrum]

I'd like to suggest definition of minimal permissions for build.yml cause it will increase pacparser supply chain security.

This is considered a security concern because Github grants write-all permission to all workflows, which allows an attacker to exploit this permissions in case of a compromised workflow. Thus, it is both a recommendation from the OpenSSF Scorecard and the Github itself to always use credentials that are minimally scoped.

This means setting the top level permission as contents: read (usually enough to most actions) or even read-all, and grant any write permission at the job level

Let me know if you are interested in this change and I'll submit the PR as soon as possible.

Context: I'm Joyce, working on behalf of Google and the OpenSSF to increase supply chain security in many open source projects.

[manugarg]

Thanks for filing this, @joycebrum!

This makes sense. In pacparser's case it's probably pretty straight-forward. We can just give only read only permissions to the Github actions in settings (I just did that). Is that sufficient? If not, please feel free to send a PR.

PS. By the way, do you work with Andrew Pollock at all. IIRC, he was working on something similar now at Google.

[joycebrum]

It is good to do it but it always a good practice to set the permissions on the workflow, always to be transparent to anyone looking at the repo which permissions this workflow have.

I'll submit a PR but it will be just an extra, your setting change already made the workflow secure.

[joycebrum]

Ah I forgot to answer about Andrew Pollock, he is in my team (GOSST - Google Open Source Security Team) and we interact with each other from time to time (discussing some security practices and the real security reasons), but we are not in constant contact though. 😄