Skip to content

Commit 82127f8

Browse files
Potential fix for code scanning alert no. 78: Workflow does not contain permissions (#2851)
Potential fix for [https://github.com/MarkusNeusinger/pyplots/security/code-scanning/78](https://github.com/MarkusNeusinger/pyplots/security/code-scanning/78) To fix the problem, explicitly define minimal `GITHUB_TOKEN` permissions for the `build-matrix` job (or at the workflow root). Since this job only needs to read repository contents (for `actions/checkout` and shell commands), `contents: read` is sufficient. The best targeted fix without changing functionality is to add a `permissions` block under the `build-matrix` job (around line 44), mirroring the approach used for `preview` and `summary`. We will not alter any existing steps or logic, only constrain the token. Concretely: - In `.github/workflows/bulk-generate.yml`, under `jobs: build-matrix:` (after `runs-on: ubuntu-latest`), add: ```yaml permissions: contents: read ``` - No new imports, secrets, or steps are required; all existing actions will continue to work with read-only contents access. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
1 parent ce3f0d4 commit 82127f8

1 file changed

Lines changed: 2 additions & 0 deletions

File tree

.github/workflows/bulk-generate.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,8 @@ jobs:
4242
# ============================================================================
4343
build-matrix:
4444
runs-on: ubuntu-latest
45+
permissions:
46+
contents: read
4547
outputs:
4648
matrix: ${{ steps.build.outputs.matrix }}
4749
count: ${{ steps.build.outputs.count }}

0 commit comments

Comments
 (0)