Potential fix for code scanning alert no. 7: Workflow does not contain permissions#31
Conversation
…n permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #31 +/- ##
=======================================
Coverage 84.94% 84.94%
=======================================
Files 27 27
Lines 1647 1647
=======================================
Hits 1399 1399
Misses 170 170
Partials 78 78 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
…n permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
…n permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds explicit GitHub Actions permissions to address a code scanning alert by enforcing least-privilege GITHUB_TOKEN access across CI workflows.
Changes:
- Add workflow-level
permissions: contents: readto the main build workflow. - Add workflow-level
permissions: contents: readto the Codecov workflow. - Add job-level
permissions: contents: readto thecheckjob in the preview workflow.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/build.yml | Sets workflow-level contents: read permissions for CI build/test jobs. |
| .github/workflows/codecov.yml | Sets workflow-level contents: read permissions for coverage workflow. |
| .github/workflows/preview.yml | Restricts check job token permissions to contents: read (preview job already overrides to write). |
| jobs: | ||
| check: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
In this workflow, permissions are being set at the job level for check, but other workflows in this PR set a workflow-level permissions: block. To keep least-privilege defaults explicit and avoid duplicating per-job settings, consider moving permissions: contents: read to the workflow top level (after on:) and letting preview override to contents: write as it already does.
| jobs: | |
| check: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| permissions: | |
| contents: read | |
| jobs: | |
| check: | |
| runs-on: ubuntu-latest |
Potential fix for https://github.com/8bitAlex/raid/security/code-scanning/7
Add an explicit workflow-level
permissionsblock in.github/workflows/build.ymlso all jobs inherit least-privilege token access.Best fix here: insert at the top level (after
on:block, beforejobs:) the minimal required scope:permissions:contents: readThis preserves existing functionality (
actions/checkout, reading repo content, running build/tests) while preventing accidental broad token access now or in future default changes.Suggested fixes powered by Copilot Autofix. Review carefully before merging.