Skip to content

Update 8hobbies/workflows digest to d1e85a0 #307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
renovate merged 1 commit into from
Mar 15, 2026
Merged

Update 8hobbies/workflows digest to d1e85a0 #307

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,4 @@

jobs:
lint:
uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@b912c36872c2ee7c67d5a8a8478382301e9e3060
uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@d1e85a08791c06db486a7943658d5090c27339db

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 2 months ago

In general, this problem is fixed by explicitly adding a permissions block either at the root of the workflow (applies to all jobs without their own permissions) or at the specific job level, and setting the least privileges needed. For a lint workflow that only needs to read source code and dependencies, contents: read (and optionally other read-only scopes like packages: read if required) is typically sufficient.

The minimal, least-privilege change here is to add a top-level permissions: block below the on: section in .github/workflows/lint.yml. This will apply to the lint job (which uses a reusable workflow) unless that reusable workflow further restricts permissions. No existing functionality in this file changes, because the job definition (uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@...) remains untouched; we only constrain the GITHUB_TOKEN. Concretely, update .github/workflows/lint.yml by inserting:

permissions:
  contents: read

at the root level, aligned with name, on, and jobs. No imports, methods, or additional definitions are required beyond that YAML addition.

Suggested changeset 1
.github/workflows/lint.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -20,6 +20,9 @@
   pull_request:
     branches: ["master"]
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@d1e85a08791c06db486a7943658d5090c27339db
EOF
@@ -20,6 +20,9 @@
pull_request:
branches: ["master"]

permissions:
contents: read

jobs:
lint:
uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@d1e85a08791c06db486a7943658d5090c27339db
Copilot is powered by AI and may make mistakes. Always verify output.
2 changes: 1 addition & 1 deletion .github/workflows/pages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,4 +25,4 @@ jobs:
permissions:
pages: write
id-token: write
uses: 8hobbies/workflows/.github/workflows/npm-doc-pages.yml@b912c36872c2ee7c67d5a8a8478382301e9e3060
uses: 8hobbies/workflows/.github/workflows/npm-doc-pages.yml@d1e85a08791c06db486a7943658d5090c27339db
2 changes: 1 addition & 1 deletion .github/workflows/publish-dry-run.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,4 @@

jobs:
run:
uses: 8hobbies/workflows/.github/workflows/npm-publish-dry-run.yml@b912c36872c2ee7c67d5a8a8478382301e9e3060
uses: 8hobbies/workflows/.github/workflows/npm-publish-dry-run.yml@d1e85a08791c06db486a7943658d5090c27339db

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 2 months ago

In general, to fix this class of issue you add a permissions key either at the top level of the workflow (to apply to all jobs) or inside a specific job (to apply only to that job). The values under permissions should be the minimum scopes required, typically starting with contents: read and adding any necessary write scopes only if the workflow actually needs them.

For this specific workflow, we should add a top-level permissions block so that it applies to the single run job that calls the reusable workflow. Because we don’t see any other requirements in this file, and we must avoid assuming extra behavior, we will set the minimal commonly safe baseline: contents: read. This matches GitHub’s recommended starting point for most workflows and strictly limits GITHUB_TOKEN compared to a potential default of full read-write. Concretely, in .github/workflows/publish-dry-run.yml we’ll insert:

permissions:
  contents: read

between the name: block and the on: block (lines 15–17). No imports or additional methods are needed; this is purely a YAML configuration change.

Suggested changeset 1
.github/workflows/publish-dry-run.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/publish-dry-run.yml b/.github/workflows/publish-dry-run.yml
--- a/.github/workflows/publish-dry-run.yml
+++ b/.github/workflows/publish-dry-run.yml
@@ -14,6 +14,9 @@
 
 name: Publish Dry Run
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: ["master"]
EOF
@@ -14,6 +14,9 @@

name: Publish Dry Run

permissions:
contents: read

on:
push:
branches: ["master"]
Copilot is powered by AI and may make mistakes. Always verify output.
2 changes: 1 addition & 1 deletion .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,6 @@
tags: ["v*"]
jobs:
build:
uses: 8hobbies/workflows/.github/workflows/npm-publish.yml@b912c36872c2ee7c67d5a8a8478382301e9e3060
uses: 8hobbies/workflows/.github/workflows/npm-publish.yml@d1e85a08791c06db486a7943658d5090c27339db
secrets:
npm-auth-token: ${{ secrets.NPM_TOKEN }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
2 changes: 1 addition & 1 deletion .github/workflows/runtime.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,4 @@

jobs:
test:
uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@b912c36872c2ee7c67d5a8a8478382301e9e3060
uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@d1e85a08791c06db486a7943658d5090c27339db

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 2 months ago

In general, the fix is to explicitly declare permissions for the GITHUB_TOKEN either at the root of the workflow (applying to all jobs) or within the specific job. This avoids inheriting broad default permissions from the repository or organization and documents the minimal access needed. For a workflow whose only job delegates to a reusable workflow, a safe starting point is permissions: contents: read, which matches GitHub’s recommended minimal default for read-only access.

For this file, the most targeted fix without changing functionality is to add a permissions block at the workflow root, just below the on: block and above jobs:. Since we cannot see any operations here that require write access (the actual logic lives in the referenced reusable workflow), the least-privilege reasonable default is:

permissions:
  contents: read

This ensures the top-level workflow’s GITHUB_TOKEN has only read access to repository contents, while still allowing the workflow to run and call the reusable workflow. If the reusable workflow itself needs additional scopes, it can define them internally; setting minimal permissions here does not prevent that, as reusable workflows can request additional permissions they require.

Concretely:

  • Edit .github/workflows/runtime.yml.
  • Insert a permissions: mapping between the on: block (lines 17–21) and the jobs: block (line 23).
  • No imports or other definitions are needed; this is purely a YAML configuration change in the workflow file.
Suggested changeset 1
.github/workflows/runtime.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/runtime.yml b/.github/workflows/runtime.yml
--- a/.github/workflows/runtime.yml
+++ b/.github/workflows/runtime.yml
@@ -20,6 +20,9 @@
   pull_request:
     branches: ["master"]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@d1e85a08791c06db486a7943658d5090c27339db
EOF
@@ -20,6 +20,9 @@
pull_request:
branches: ["master"]

permissions:
contents: read

jobs:
test:
uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@d1e85a08791c06db486a7943658d5090c27339db
Copilot is powered by AI and may make mistakes. Always verify output.
Loading