Skip to content

Commit 6944797

Browse files
Potential fix for code scanning alert no. 79: Workflow does not contain permissions (#2846)
Potential fix for [https://github.com/MarkusNeusinger/pyplots/security/code-scanning/79](https://github.com/MarkusNeusinger/pyplots/security/code-scanning/79) To fix the problem, explicitly restrict the GITHUB_TOKEN permissions for the `preview` job (and optionally at the workflow root, but the reported issue is on this job). Since `preview` just reads workflow outputs and prints them, it only needs read access to repository contents, and in many cases can even work with `permissions: {}`; however, using `contents: read` is a clear, minimal, and conventional choice. Concretely, in `.github/workflows/bulk-generate.yml`, within the `preview` job definition starting at line 107 (`preview:`), add a `permissions:` block directly under the existing `needs`/`runs-on` lines, e.g.: ```yaml preview: needs: build-matrix runs-on: ubuntu-latest permissions: contents: read ``` No additional imports, steps, or other definitions are needed; this change merely constrains the default permissions for that job without altering its behavior. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
1 parent 30c409f commit 6944797

1 file changed

Lines changed: 2 additions & 0 deletions

File tree

.github/workflows/bulk-generate.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -107,6 +107,8 @@ jobs:
107107
preview:
108108
needs: build-matrix
109109
runs-on: ubuntu-latest
110+
permissions:
111+
contents: read
110112

111113
steps:
112114
- name: Preview generation plan

0 commit comments

Comments
 (0)