Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Build FormKiQ API JWT | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| java: [ 17, 21 ] | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Set up JDK | ||
| uses: actions/setup-java@v4 | ||
| with: | ||
| java-version: ${{ matrix.java }} | ||
| distribution: 'temurin' | ||
| cache: maven | ||
| - name: Build with Maven | ||
| run: mvn -B package --no-transfer-progress --file pom.xml |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
In general, the fix is to explicitly set permissions for the GITHUB_TOKEN either at the workflow root (applies to all jobs) or under the specific job. For this workflow, the job only checks out code and runs Maven, so it only needs read access to repository contents. We can therefore set contents: read as the least-privilege configuration.
The single best fix with no functional change is to add a permissions block at the workflow root (between on: and jobs:) that restricts the token to read-only contents. This ensures all current and future jobs in this workflow inherit safe defaults unless they override them. Concretely, in .github/workflows/maven.yml, after the on: block (lines 8–12) and before jobs: (line 14), insert:
permissions:
contents: readNo imports or extra definitions are required; this is pure GitHub Actions YAML configuration.
| @@ -11,6 +11,9 @@ | ||
| pull_request: | ||
| branches: [ main, master ] | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| build: | ||
| name: Build FormKiQ API JWT |
2 participants
No description provided.