OpenSSF scorecard "Token-permissions" score zero

Hello there :wave:,

Today in the Node.js security meeting we discussed that the undici project score had dropped due to a change in the workflows. This seems to be related to the following [commit](https://github.com/nodejs/undici/commit/3be7ec9bcc4679a827199a2aea3f0f1bfbdaf325).

![image](https://github.com/nodejs/undici/assets/4438263/ec1d6e60-4240-44f9-bfc2-8bd993b10aad)

[Full report here](https://kooltheba.github.io/openssf-scorecard-api-visualizer/#/projects/github.com/nodejs/undici/compare/dae31826560112ccf1244172e398fc7d2fce075d/7485cd9b4cf9a86cb76b1597df527eba15755bfc)

1. [nightly.yml](https://github.com/nodejs/undici/blob/main/.github/workflows/nightly.yml) and [test.yml](https://github.com/nodejs/undici/blob/main/.github/workflows/test.yml) seems to lack global permissions

```yml
permissions:
  contents: read
```

2. In **nodejs.yml** we have warnings to reviews the following permission.

https://github.com/nodejs/undici/blob/d3d24e2722046733f4f78a273423f10d0107e74f/.github/workflows/nodejs.yml#L102-L105

[Github Action Merge Dependabot](https://github.com/fastify/github-action-merge-dependabot?tab=readme-ov-file#usage) require `pull-requests` and `contents` (not sure if `actions` is required). These warnings are **perhaps to be ignored**.

@nodejs/security-wg


	permissions:
	contents: write
	pull-requests: write
	actions: write

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

OpenSSF scorecard "Token-permissions" score zero #3012

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

OpenSSF scorecard "Token-permissions" score zero #3012

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions