Skip to content

Potential fix for code scanning alert no. 7: Workflow does not contain permissions#27

Merged
locus313 merged 2 commits into
mainfrom
alert-autofix-7
Jun 14, 2026
Merged

Potential fix for code scanning alert no. 7: Workflow does not contain permissions#27
locus313 merged 2 commits into
mainfrom
alert-autofix-7

Conversation

@locus313

Copy link
Copy Markdown
Owner

Potential fix for https://github.com/locus313/ssh-key-sync/security/code-scanning/7

Add a root-level permissions block in .github/workflows/ci.yml so all jobs in this workflow (including ci-success and reusable-workflow calls that don’t override permissions) inherit restricted token scopes by default.

Best fix here without changing functionality:

  • Insert permissions: near the top level (after triggers and before jobs:).
  • Set minimal read-only permissions:
    • contents: read
    • packages: read
      This documents intent and prevents accidental broad token rights if repository defaults are permissive or change later.

No imports, methods, or extra definitions are needed (YAML workflow-only change).

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

locus313 and others added 2 commits June 13, 2026 19:13
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@locus313 locus313 marked this pull request as ready for review June 14, 2026 02:20
@locus313 locus313 merged commit 438b9b7 into main Jun 14, 2026
7 checks passed
@locus313 locus313 deleted the alert-autofix-7 branch June 14, 2026 02:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant