Commit 82127f8
Potential fix for code scanning alert no. 78: Workflow does not contain permissions (#2851)
Potential fix for
[https://github.com/MarkusNeusinger/pyplots/security/code-scanning/78](https://github.com/MarkusNeusinger/pyplots/security/code-scanning/78)
To fix the problem, explicitly define minimal `GITHUB_TOKEN` permissions
for the `build-matrix` job (or at the workflow root). Since this job
only needs to read repository contents (for `actions/checkout` and shell
commands), `contents: read` is sufficient.
The best targeted fix without changing functionality is to add a
`permissions` block under the `build-matrix` job (around line 44),
mirroring the approach used for `preview` and `summary`. We will not
alter any existing steps or logic, only constrain the token.
Concretely:
- In `.github/workflows/bulk-generate.yml`, under `jobs: build-matrix:`
(after `runs-on: ubuntu-latest`), add:
```yaml
permissions:
contents: read
```
- No new imports, secrets, or steps are required; all existing actions
will continue to work with read-only contents access.
_Suggested fixes powered by Copilot Autofix. Review carefully before
merging._
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>1 parent ce3f0d4 commit 82127f8
1 file changed
Lines changed: 2 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
42 | 42 | | |
43 | 43 | | |
44 | 44 | | |
| 45 | + | |
| 46 | + | |
45 | 47 | | |
46 | 48 | | |
47 | 49 | | |
| |||
0 commit comments