Commit 6944797
Potential fix for code scanning alert no. 79: Workflow does not contain permissions (#2846)
Potential fix for
[https://github.com/MarkusNeusinger/pyplots/security/code-scanning/79](https://github.com/MarkusNeusinger/pyplots/security/code-scanning/79)
To fix the problem, explicitly restrict the GITHUB_TOKEN permissions for
the `preview` job (and optionally at the workflow root, but the reported
issue is on this job). Since `preview` just reads workflow outputs and
prints them, it only needs read access to repository contents, and in
many cases can even work with `permissions: {}`; however, using
`contents: read` is a clear, minimal, and conventional choice.
Concretely, in `.github/workflows/bulk-generate.yml`, within the
`preview` job definition starting at line 107 (`preview:`), add a
`permissions:` block directly under the existing `needs`/`runs-on`
lines, e.g.:
```yaml
preview:
needs: build-matrix
runs-on: ubuntu-latest
permissions:
contents: read
```
No additional imports, steps, or other definitions are needed; this
change merely constrains the default permissions for that job without
altering its behavior.
_Suggested fixes powered by Copilot Autofix. Review carefully before
merging._
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>1 parent 30c409f commit 6944797
1 file changed
Lines changed: 2 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
107 | 107 | | |
108 | 108 | | |
109 | 109 | | |
| 110 | + | |
| 111 | + | |
110 | 112 | | |
111 | 113 | | |
112 | 114 | | |
| |||
0 commit comments