improve OpenSSF scorecard: tighten token permissions and add build provenance

Move write permissions from workflow top-level to job-level in cflite_batch, cflite_pr, and release-docker workflows. Add sigstore build provenance attestation to the release workflow via actions/attest-build-provenance. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-26 19:34:51 -07:00 · 2026-03-26 19:34:51 -07:00 · 3e0569d741
commit 3e0569d741
parent bfcec88482
4 changed files with 14 additions and 3 deletions
--- a/.github/workflows/cflite_batch.yml
+++ b/.github/workflows/cflite_batch.yml
@ -5,11 +5,12 @@ on:

 permissions:
  contents: read
-  security-events: write

 jobs:
  BatchFuzzing:
    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
    strategy:
      fail-fast: false
      matrix:
--- a/.github/workflows/cflite_pr.yml
+++ b/.github/workflows/cflite_pr.yml
@ -7,11 +7,12 @@ on:

 permissions:
  contents: read
-  security-events: write

 jobs:
  PR:
    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
    concurrency:
      group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
      cancel-in-progress: true
--- a/.github/workflows/release-docker.yml
+++ b/.github/workflows/release-docker.yml
@ -20,12 +20,14 @@ on:
 ###############################################################################
 permissions:
  contents: read       # needed for checkout + GH API
-  packages: write      # push to ghcr.io

 ###############################################################################
 jobs:
  build-and-push:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write    # push to ghcr.io

    steps:
    # -----------------------------------------------------------------------
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -354,6 +354,8 @@ jobs:
    runs-on: ubuntu-latest
    permissions:
      contents: write
+      id-token: write
+      attestations: write
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
      - name: Determine tag
@ -398,3 +400,8 @@ jobs:
          allowUpdates: true
          generateReleaseNotes: false
          artifacts: target/release/**
+
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-path: 'target/release/*'