I'm suggesting this change in the CIFuzz example workflow to indicate
the minimal permission needed for the workflow to run and also to follow
the OpenSSF Scorecard Token Permission Check recommendations.
I've tested with
https://github.com/joycebrum/sigstore/actions/runs/4918728701 and the
action ran with success with no permission granted.
the actions/upload-artifact skipped does not need permission to upload
artifacts as can be seen at
https://github.com/joycebrum/sigstore/actions/runs/4928734763
---------
Signed-off-by: Joyce <joycebrum@google.com>
Signed-off-by: jonathanmetzman <31354670+jonathanmetzman@users.noreply.github.com>
Co-authored-by: jonathanmetzman <31354670+jonathanmetzman@users.noreply.github.com>
jonathanmetzman