Skip to content

Commit 672f6dd

Browse files
fix(security): restrict GITHUB_TOKEN to contents:read on heartbeat workflow (#30)
The heartbeat-real-stack workflow lacked an explicit permissions block, which meant GITHUB_TOKEN inherited the repository default (often read/write across multiple scopes). Adding a top-level permissions block scopes the token to the minimum required (contents:read) for checkout, addressing CWE-275 (Permission Issues). Closes code-scanning alert: actions/missing-workflow-permissions on .github/workflows/heartbeat-real-stack.yml:29.
1 parent 97fcafc commit 672f6dd

1 file changed

Lines changed: 3 additions & 0 deletions

File tree

.github/workflows/heartbeat-real-stack.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,9 @@ on:
2424
- "tests/heartbeat-real-stack/**"
2525
- ".github/workflows/heartbeat-real-stack.yml"
2626

27+
permissions:
28+
contents: read
29+
2730
jobs:
2831
real-stack:
2932
name: Real-stack E2E (${{ matrix.os }})

0 commit comments

Comments
 (0)