Suggested GITHUB_TOKEN permissions in docs not sufficent to run on (at least) private repo's

[mhuijgen]

It seems that the default permissions given as example in the docs or on the default template when you add the action to your repo are not sufficient on at least private repo's. I have not tested it on a public one.

It seems the default read-only permissions on workflow level has no influence anymore if job specific permissions are set.
I had to add the following to allow the action to run at all without erroring out:

      # To allow GraphQL ListCommits to work
      issues: read
      pull-requests: read

Without these extra permissions it fails very fast with the following error:

Error: RunScorecard: internal error: ListCommits:error during graphqlHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
2023/08/17 09:37:40 error during command execution: RunScorecard: internal error: ListCommits:error during graphqlHandler.setup: internal error: githubv4.Query: Resource not accessible by integration

Also I noticed that without the permission

      # To detect SAST tools
      checks: read

The rule with ruleid SASTID is not working, it auto closes this security issue if I remove this permission.

Full workflow that works for us using the default GITHUB_TOKEN (no checks on branch protection or webhooks since that would require a PAT).

# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.

name: Scorecard supply-chain security
on:
  # For Branch-Protection check. Only the default branch is supported. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
  branch_protection_rule:
  # To guarantee Maintained check is occasionally updated. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
  schedule:
    - cron: '40 13 * * 1'
  push:
    branches: [ "develop" ]

# Declare default permissions as read only.
permissions: read-all

jobs:
  analysis:
    name: Scorecard analysis
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload the results to code-scanning dashboard.
      security-events: write
      # Needed to publish results and get a badge (see publish_results below).
      id-token: write
      # Uncomment the permissions below if installing in a private repository.
      contents: read
      actions: read
      # To allow GraphQL ListCommits to work
      issues: read
      pull-requests: read
      # To detect SAST tools
      checks: read

    steps:
      - name: "Checkout code"
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
        with:
          persist-credentials: false

      - name: "Run analysis"
        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
        with:
          results_file: results.sarif
          results_format: sarif
          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
          # - you want to enable the Branch-Protection check on a *public* repository, or
          # - you are installing Scorecard on a *private* repository
          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
          # repo_token: ${{ secrets.SCORECARD_TOKEN }}

          # Public repositories:
          #   - Publish results to OpenSSF REST API for easy access by consumers
          #   - Allows the repository to include the Scorecard badge.
          #   - See https://github.com/ossf/scorecard-action#publishing-results.
          # For private repositories:
          #   - `publish_results` will always be set to `false`, regardless
          #     of the value entered here.
          publish_results: false

      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
        uses: github/codeql-action/upload-sarif@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4
        with:
          sarif_file: results.sarif

[mariusfilipowski]

This permission example helped me lot to configure Scorecard in our GHES instance with a private repo. Should be definitely part of the documentation!!!

[faximan]

If someone is using a PAT and is getting the corresponding with the default config on a private repo:

Error: RunScorecard: internal error: ListCommits:error during graphqlHandler.setup: internal error: githubv4.Query: Resource not accessible by personal access token

I had to grant the following extra permissions to my fine grained PAT:

• Contents: Read-only
• Issues: Read-only
• Pull Requests: Read-only

All three seem to be necessary.