Asks for updates to this package's repository security.

[amaranthjinn]

Hi, our project utilizes a lot of dash plotly packages (really appreciate all your work!), and would like to leverage dash-ag-grid for some new functionalities under design/development.
However, we are concerned about the security setup of this repository, and the risk of future bad changes making into the package.
We used the tool https://github.com/ossf/scorecard to help us assess the repository security.
Some of the major concerning areas are:

1. branch protection - the 'main' branch is not under any branch protection rule that governs write access and how changes make into releases. The recommendation is https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection.
2. token permission -
   Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:13
   Warn: no topLevel permission defined: .github/workflows/python-test.yml:1
   Warn: no topLevel permission defined: .github/workflows/release.yml:1
   Which can be easily mitigated, see https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions.

Can you let me know if those security configurations can be updated soon? As it is, we would like to use the dash-ag-grid but cannot due to the security concerns (given the rise of software pipeline attacks).

[gvwilson]

Thanks for your comment - I've added it to the pile to discuss once we get the Plotly 3.0 release out the door (which should be in the next couple of weeks).

[amaranthjinn]

Thank you! Looking forward to the good news, keep me updated :)

[amaranthjinn]

Hi, is there some update for this repo security request? We have some project decision pending, would really love to be able to move forward with this security concern resolved. Thank you!

[t1nfoil]

set up branch protection rule for main, requiring PR + approval/review

[gvwilson]

@amaranthjinn please check that we've protected the master branch as you want and that the changes in #344 will satisfy your requirements - thank you.

[amaranthjinn]

The score has improved to 6.6 from 5.1. For break-down:

• branch protection is at 5/10
  Warn: codeowners review is required - but no codeowners file found in repo Warn: 'last push approval' is disable on branch 'main' Warn: no status checks found to merge onto branch 'main'.

• signed release is 0/10

• token permission 9/10
  Warn: jobLevel 'contents' tokens with excessive permission set to 'write': permissions .github/workflows/build.yml:17
  Warn: no topLevel permission defined: .github/workflows/build.yml:1 Warn: no topLevel permission defined: .github/workflows/publish-to-pypi.yml:1

• dependency update tool is 0/10

Can we make improvement on some of the above areas so the overall score can be above 7.5?