chore: align GitHub standards and repo metadata#1
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Check docs for local workstation paths | ||
| run: | | ||
| set -euo pipefail | ||
| disallowed='(/Users/|C:\\Users\\|/home/[^/]+/)' | ||
| if rg -n "$disallowed" -g '*.md' .; then | ||
| echo 'Found local workstation path references in docs.' >&2 | ||
| exit 1 | ||
| fi |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
In general, the fix is to explicitly add a permissions block that grants only the minimal required scopes for the GITHUB_TOKEN. For this workflow, the job just checks out the repository and runs a local search; it does not need to write anything back to GitHub or access issues, PRs, or other resources. The minimal practical permission is contents: read, which allows actions/checkout to function while keeping the token read‑only.
The best fix without changing existing functionality is to add a permissions block at the workflow root (top level, alongside name, on, and jobs) so it applies to all jobs in this workflow. Insert it between the on: block and jobs: block in .github/workflows/docs-hygiene.yml, with contents: read. No other permissions are needed, and no changes to steps are required. No imports or additional methods are involved because this is a YAML configuration file.
| @@ -5,6 +5,9 @@ | ||
| push: | ||
| branches: [main, master] | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| docs-hygiene: | ||
| runs-on: ubuntu-latest |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Print manifest and test inventory | ||
| run: | | ||
| set -euo pipefail | ||
| echo 'Go modules:' | ||
| find . -name go.mod -not -path '*/vendor/*' | sort || true | ||
| echo 'Cargo manifests:' | ||
| find . -name Cargo.toml -not -path '*/target/*' | sort || true | ||
| echo 'Node package manifests:' | ||
| find . -name package.json -not -path '*/node_modules/*' | sort || true | ||
| echo 'Python project manifests:' | ||
| find . \( -name pyproject.toml -o -name requirements.txt \) | sort || true | ||
| echo 'Test files (sample):' | ||
| find . \( -name '*_test.go' -o -name '*.test.ts' -o -name '*.spec.ts' -o -name 'test_*.py' \) | head -200 || true | ||
|
|
||
| sbom: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
In general, fix this by adding an explicit permissions block to the workflow (either at the top level or for each job) that grants only the scopes actually required. For read‑only workflows that just check out code and run analyses/tests, permissions: contents: read at the workflow level is a good minimal baseline; additional scopes can be added only if strictly needed.
For this specific file, the simplest and most accurate fix is to define a workflow‑level permissions block just under the name: and before on:. None of the jobs in this workflow pushes commits, creates releases, or modifies issues/PRs, and actions/upload-artifact does not use GITHUB_TOKEN for repo writes, so contents: read is sufficient. This will apply to all jobs (repo-inventory, sbom, quick-tests) without altering their behavior, and will satisfy CodeQL’s requirement that the GITHUB_TOKEN permissions be explicitly restricted.
Concretely: in .github/workflows/repo-security-baseline.yml, insert:
permissions:
contents: readbetween line 1 (name: Repo Security Baseline) and line 3 (on:). No imports or other definitions are needed.
| @@ -1,5 +1,8 @@ | ||
| name: Repo Security Baseline | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| push: |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Generate SBOM (CycloneDX JSON) | ||
| uses: anchore/sbom-action@v0 | ||
| with: | ||
| path: . | ||
| format: cyclonedx-json | ||
| output-file: sbom.cdx.json | ||
| - name: Upload SBOM artifact | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: sbom-${{ github.event.repository.name }} | ||
| path: sbom.cdx.json | ||
|
|
||
| quick-tests: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the problem, explicitly restrict the GITHUB_TOKEN permissions to the minimum required by these jobs. All three jobs only need to read the repository contents and upload an artifact; they do not push commits, create releases, modify issues, or change workflow files. The minimal reasonable scope is contents: read at the workflow level, which applies to all jobs. No job requires elevated or write permissions.
The best fix is to add a permissions block at the root level of .github/workflows/repo-security-baseline.yml, alongside name and on, so it applies to all jobs that don’t override it. Add:
permissions:
contents: readThis should be placed after the name: line (or before on:), keeping indentation consistent with other top-level keys. No imports or additional methods are needed because this is purely a YAML configuration change. No further functionality changes are required.
| @@ -1,5 +1,8 @@ | ||
| name: Repo Security Baseline | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| push: |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-go@v5 | ||
| with: | ||
| go-version: '1.24.6' | ||
| - uses: dtolnay/rust-toolchain@stable | ||
| with: | ||
| toolchain: '1.75.0' | ||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20' | ||
| - uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: '3.11' | ||
| - name: Run opportunistic test smoke checks | ||
| shell: bash | ||
| run: | | ||
| set -euo pipefail | ||
| # Go (root module only) | ||
| if [[ -f go.mod ]]; then | ||
| go test ./... || true | ||
| fi | ||
| # Rust (root crate only) | ||
| if [[ -f Cargo.toml ]]; then | ||
| cargo test --lib || true | ||
| fi | ||
| # Node (root package only) | ||
| if [[ -f package.json ]]; then | ||
| npm install --no-fund --no-audit || true | ||
| npm test --if-present || true | ||
| fi | ||
| # Python (root project only) | ||
| if [[ -f pyproject.toml ]]; then | ||
| python -m pip install --upgrade pip || true | ||
| python -m pip install pytest || true | ||
| pytest -q || true | ||
| fi |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
In general, the fix is to declare an explicit permissions block limiting the GITHUB_TOKEN to the minimal scopes needed. For this workflow, all jobs only need to read repository contents and upload artifacts; no job modifies repository state or interacts with issues/PRs.
The single best fix is to add a root-level permissions block near the top of .github/workflows/repo-security-baseline.yml (e.g., after name: and before on:) with contents: read. This will apply to all jobs (repo-inventory, sbom, and quick-tests) since none define their own permissions. No additional scopes (like pull-requests: write or contents: write) are required because the steps only check out code, run tools, and upload artifacts, all of which work with contents: read. No imports or other definitions are needed because this is a YAML configuration change only.
| @@ -1,5 +1,8 @@ | ||
| name: Repo Security Baseline | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| push: |
2 participants
This rollout aligns the repository with the Foundation GitHub standards bundle, repo-role metadata, and current public source-of-truth model.