Skip to content

Potential fix for code scanning alert no. 7: Workflow does not contain permissions#273

Merged
majorsilence merged 1 commit intomasterfrom
alert-autofix-7
Mar 19, 2026
Merged

Potential fix for code scanning alert no. 7: Workflow does not contain permissions#273
majorsilence merged 1 commit intomasterfrom
alert-autofix-7

Conversation

@majorsilence
Copy link
Copy Markdown
Owner

@majorsilence majorsilence commented Mar 19, 2026

Potential fix for https://github.com/majorsilence/Reporting/security/code-scanning/7

In general, the fix is to add an explicit permissions: block to the workflow (either at the top level or within the linux-build job) that grants only the minimal access the job needs. For a simple build-and-test workflow that only checks out code and runs local tooling, contents: read is typically sufficient.

The best, least intrusive fix here is to add a workflow-level permissions: block right after the name: declaration, setting contents: read. This will apply to all jobs (currently just linux-build) and avoids changing any job logic or behavior. No additional imports or methods are needed, since this is a YAML configuration change only.

Concretely, in .github/workflows/linux.yml, insert:

permissions:
  contents: read

after line 1 (name: linux) and before the on: block. This documents and enforces that the GITHUB_TOKEN has read-only access to repository contents for this workflow.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@majorsilence @github-advanced-security
Potential fix for code scanning alert no. 7: Workflow does not contai…
df31364 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@majorsilence majorsilence marked this pull request as ready for review March 19, 2026 23:14
Copilot AI review requested due to automatic review settings March 19, 2026 23:14
@majorsilence majorsilence merged commit a45b25f into master Mar 19, 2026
9 checks passed
@majorsilence majorsilence deleted the alert-autofix-7 branch March 19, 2026 23:15
Copilot AI reviewed Mar 19, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Linux GitHub Actions workflow to address a code scanning alert by explicitly restricting GITHUB_TOKEN permissions to least-privilege.

Changes:

  • Add a workflow-level permissions block.
  • Set contents: read for the workflow token.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/linux.yml
name: linux

permissions:
contents: read
Copy link

Copilot AI Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting workflow-level permissions to only contents: read is likely too restrictive for the existing dorny/test-reporter@v2 step, which typically needs the Checks API to create/update a check run. With the current permissions block, that step may fail when trying to publish the test report. Consider adding the minimal additional permissions required (commonly checks: write, and possibly pull-requests: write if it posts PR comments), or moving a broader permissions block to only the job(s) that need it.

Suggested change
contents: read
contents: read
checks: write

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@majorsilence