Skip to content

Commit 64480dd

Browse files
Potential fix for code scanning alert no. 3: Workflow does not contain permissions (#214)
Potential fix for [https://github.com/microsoft/azure-devops-mcp/security/code-scanning/3](https://github.com/microsoft/azure-devops-mcp/security/code-scanning/3) To fix the issue, add a `permissions` block to the workflow to explicitly define the minimum required permissions for each job. Since the jobs in this workflow only need to read repository contents and do not perform write operations, the `contents: read` permission is sufficient. This change ensures that the `GITHUB_TOKEN` has limited access, reducing the risk of unintended repository modifications. The `permissions` block can be added at the root level of the workflow to apply to all jobs or within each job to define permissions specific to that job. In this case, adding it at the root level is more concise and effective. --- _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
1 parent be50805 commit 64480dd

1 file changed

Lines changed: 3 additions & 0 deletions

File tree

.github/workflows/build.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ on:
88
branches:
99
- "main"
1010

11+
permissions:
12+
contents: read
13+
1114
jobs:
1215
build:
1316
name: Build the project

0 commit comments

Comments
 (0)