Skip to content

Potential fix for code scanning alert no. 7: Workflow does not contain permissions#122

Merged
secwexen merged 1 commit into
mainfrom
alert-autofix-7
May 15, 2026
Merged

Potential fix for code scanning alert no. 7: Workflow does not contain permissions#122
secwexen merged 1 commit into
mainfrom
alert-autofix-7

Conversation

@secwexen
Copy link
Copy Markdown
Owner

@secwexen secwexen commented May 15, 2026

Potential fix for https://github.com/secwexen/aapp-mart/security/code-scanning/7

In general, the fix is to explicitly declare a permissions block in the workflow (or at the job level) that grants only the minimal scopes needed. For a typical CI build that only checks out code and runs make/tests without interacting with GitHub APIs in a write-capable way, contents: read is sufficient and matches the minimal recommendation from CodeQL.

The best targeted fix here is to add a workflow-level permissions block near the top of .github/workflows/makefile.yml, just after the name line and before the on: trigger. This will apply to all jobs in the workflow (currently only build) and avoids needing to repeat configuration. The block should set contents: read, which is adequate for actions/checkout@v4 and typical build steps. No other functionality in the provided snippet depends on broader or write permissions, so this change should not alter behavior while resolving the CodeQL finding.

Concretely: in .github/workflows/makefile.yml, insert:

permissions:
  contents: read

after line 1 (name: Makefile CI). No additional imports, methods, or other definitions are required because this is purely a YAML configuration change within the GitHub Actions workflow file.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@secwexen @github-advanced-security
Potential fix for code scanning alert no. 7: Workflow does not contai…
46fb301 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: The Secwexen <129677392+secwexen@users.noreply.github.com>
@secwexen secwexen self-assigned this May 15, 2026
@secwexen secwexen moved this from Todo to In Progress in AAPP‑MART May 15, 2026
@secwexen secwexen marked this pull request as ready for review May 15, 2026 16:10
@secwexen secwexen merged commit e0ad872 into main May 15, 2026
7 of 8 checks passed
@secwexen secwexen deleted the alert-autofix-7 branch May 15, 2026 16:11
@github-project-automation github-project-automation Bot moved this from In Progress to Done in AAPP‑MART May 15, 2026
@secwexen secwexen moved this from Done to Merged / Released in AAPP‑MART May 15, 2026
@secwexen secwexen assigned secwexen and unassigned secwexen May 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

AAPP‑MART
Status: Merged / Released

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@secwexen