Potential fix for code scanning alert no. 7: Workflow does not contain permissions#72
Merged
Conversation
…n permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Quanyi Ma <eli@patch.sh>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses a GitHub security code scanning alert by adding explicit minimal permissions to the workflow. The change adds a root-level permissions: contents: read block to .github/workflows/base.yml, ensuring all jobs operate with least-privilege access by default while allowing the clippy job to retain its existing write permissions for pull request comments.
- Adds explicit minimal permissions (
contents: read) at the workflow level - Follows security best practices by restricting the default
GITHUB_TOKENscope - Maintains existing functionality with job-level permission overrides where needed
genedna
marked this pull request as ready for review
January 6, 2026 13:22
Merged
genedna
added a commit
to genedna/git-internal
that referenced
this pull request
Mar 15, 2026
…n permissions (libra-tools#72) Signed-off-by: Quanyi Ma <eli@patch.sh> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Potential fix for https://github.com/web3infra-foundation/git-internal/security/code-scanning/7
In general, this problem is fixed by explicitly specifying a minimal
permissionsblock for the workflow or for each job, instead of relying on GitHub’s defaultGITHUB_TOKENpermissions. For jobs that only need to read the repository (checkout, build, test),contents: readis typically sufficient. Jobs that must write to pull requests or other resources can request more specific write permissions.The best fix here, without changing existing functionality, is to add a root-level
permissionsblock that applies to all jobs, settingcontents: readas the default. Theclippyjob already has a more permissivepermissionsblock (contents: read,pull-requests: write), which will continue to override the root default for that job. This change ensures that theformat,redundancy,build, andtestjobs all operate with minimal read-only repo access for theGITHUB_TOKEN. Concretely, in.github/workflows/base.yml, insert:between the
name: Check, Build and Testline and theconcurrency:block. No imports or other definitions are required since this is a YAML configuration-only change.Suggested fixes powered by Copilot Autofix. Review carefully before merging.