Potential fix for code scanning alert no. 8: Workflow does not contain permissions#271
Conversation
…n permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates the Windows GitHub Actions workflow to explicitly set minimal GITHUB_TOKEN permissions in response to code scanning alert #8 (“Workflow does not contain permissions”).
Changes:
- Add a job-level
permissionsblock to thewindows-buildjob. - Set
contents: readfor thewindows-buildjob token scope.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| jobs: | ||
| windows-build: | ||
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
The new job-level permissions restrict GITHUB_TOKEN to contents: read only, but this workflow uses dorny/test-reporter@v2, which creates/updates GitHub Check Runs for the test report. With checks permission omitted, this step is likely to fail with a 403 when trying to publish results. Consider adding the minimal additional scopes needed (typically checks: write and, for PR annotations, pull-requests: read) alongside contents: read.
| contents: read | |
| contents: read | |
| checks: write | |
| pull-requests: read |
Potential fix for https://github.com/majorsilence/Reporting/security/code-scanning/8
In general, the fix is to explicitly define a
permissions:block that grants the minimal requiredGITHUB_TOKENscopes. This can be done at the top level of the workflow (applies to all jobs) or per job. Since we only see one job (windows-build), adding a job-levelpermissions:block is sufficient and minimally invasive.The safest minimal permission for this workflow, based on the steps shown, is
contents: read, which allows the actions to read repository content but not write to it. None of the steps shown require write access to repository contents, issues, or pull requests. Therefore, update.github/workflows/windows.ymlby inserting apermissions:section under thewindows-buildjob (same indentation level asruns-on). No imports, methods, or additional definitions are needed; the change is purely in the YAML configuration.Concretely:
.github/workflows/windows.yml.jobs: windows-build:, between the job name andruns-on: windows-latest, add:This constrains
GITHUB_TOKENfor this job to read-only repository contents, satisfying CodeQL and least-privilege guidance without altering the existing build/test behavior.Suggested fixes powered by Copilot Autofix. Review carefully before merging.