Skip to content

Potential fix for code scanning alert no. 7: Workflow does not contain permissions#72

Merged
genedna merged 1 commit into
mainfrom
alert-autofix-7
Jan 6, 2026
Merged

Potential fix for code scanning alert no. 7: Workflow does not contain permissions#72
genedna merged 1 commit into
mainfrom
alert-autofix-7

Conversation

@genedna

@genedna genedna commented Jan 6, 2026

Copy link
Copy Markdown
Contributor

Potential fix for https://github.com/web3infra-foundation/git-internal/security/code-scanning/7

In general, this problem is fixed by explicitly specifying a minimal permissions block for the workflow or for each job, instead of relying on GitHub’s default GITHUB_TOKEN permissions. For jobs that only need to read the repository (checkout, build, test), contents: read is typically sufficient. Jobs that must write to pull requests or other resources can request more specific write permissions.

The best fix here, without changing existing functionality, is to add a root-level permissions block that applies to all jobs, setting contents: read as the default. The clippy job already has a more permissive permissions block (contents: read, pull-requests: write), which will continue to override the root default for that job. This change ensures that the format, redundancy, build, and test jobs all operate with minimal read-only repo access for the GITHUB_TOKEN. Concretely, in .github/workflows/base.yml, insert:

permissions:
  contents: read

between the name: Check, Build and Test line and the concurrency: block. No imports or other definitions are required since this is a YAML configuration-only change.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Quanyi Ma <eli@patch.sh>
Copilot AI review requested due to automatic review settings January 6, 2026 13:21

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a GitHub security code scanning alert by adding explicit minimal permissions to the workflow. The change adds a root-level permissions: contents: read block to .github/workflows/base.yml, ensuring all jobs operate with least-privilege access by default while allowing the clippy job to retain its existing write permissions for pull request comments.

  • Adds explicit minimal permissions (contents: read) at the workflow level
  • Follows security best practices by restricting the default GITHUB_TOKEN scope
  • Maintains existing functionality with job-level permission overrides where needed

@genedna
genedna marked this pull request as ready for review January 6, 2026 13:22
@genedna genedna self-assigned this Jan 6, 2026
@genedna
genedna merged commit 9944119 into main Jan 6, 2026
14 checks passed
@genedna
genedna deleted the alert-autofix-7 branch January 6, 2026 13:33
@github-actions github-actions Bot mentioned this pull request Feb 12, 2026
genedna added a commit to genedna/git-internal that referenced this pull request Mar 15, 2026
…n permissions (libra-tools#72)

Signed-off-by: Quanyi Ma <eli@patch.sh>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants