Commit 672f6dd
authored
fix(security): restrict GITHUB_TOKEN to contents:read on heartbeat workflow (#30)
The heartbeat-real-stack workflow lacked an explicit permissions block,
which meant GITHUB_TOKEN inherited the repository default (often
read/write across multiple scopes). Adding a top-level permissions
block scopes the token to the minimum required (contents:read) for
checkout, addressing CWE-275 (Permission Issues).
Closes code-scanning alert: actions/missing-workflow-permissions on
.github/workflows/heartbeat-real-stack.yml:29.1 parent 97fcafc commit 672f6dd
1 file changed
Lines changed: 3 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
24 | 24 | | |
25 | 25 | | |
26 | 26 | | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
27 | 30 | | |
28 | 31 | | |
29 | 32 | | |
| |||
0 commit comments