Skip to content

feat: add publish workflow based on the fixed fork#252

Merged
AtzeDeVries merged 1 commit intomainfrom
add-secondary-workflow
Feb 25, 2026
Merged

feat: add publish workflow based on the fixed fork#252
AtzeDeVries merged 1 commit intomainfrom
add-secondary-workflow

Conversation

@AtzeDeVries
Copy link
Copy Markdown
Collaborator

@AtzeDeVries AtzeDeVries commented Feb 25, 2026

Signed-off-by: Atze de Vries atze.wiebe.de.vries@coop.no

@AtzeDeVries
feat: add publish workflow based on the fixed fork
45ae16a 
Signed-off-by: Atze de Vries <atze.wiebe.de.vries@coop.no>
@AtzeDeVries AtzeDeVries enabled auto-merge (squash) February 25, 2026 15:17
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 25, 2026
View reviewed changes
.github/workflows/publish-provider-package-alt.yml
Comment on lines +17 to +26
uses: hmlkao/provider-workflows/.github/workflows/publish-provider.yml@/upgrade-build-module
with:
repository: provider-upjet-github
version: ${{ github.event.inputs.version }}
go-version: ${{ github.event.inputs.go-version }}
cleanup-disk: true
secrets:
GHCR_PAT: ${{ secrets.GITHUB_TOKEN }}
XPKG_MIRROR_TOKEN: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_PSW }}
XPKG_MIRROR_ACCESS_ID: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 1 month ago

In general, the fix is to add an explicit permissions: block that grants only the minimum scopes required to run the workflow. Since this job only calls a reusable workflow and passes secrets, the least-privilege starting point is usually contents: read. If the reusable workflow needs to push commits, create releases, or modify other resources, it should request those explicitly in its own file; the caller should not over‑grant by default.

The single best change here, without altering existing functionality, is to add a root‑level permissions: block just under the name: (or under on:), applying to all jobs in this workflow. As we don’t see any direct write operations in this snippet, we will set contents: read, which is safe and aligns with the recommended minimal starting point. If later turns out that the called workflow needs additional token scopes, they should be added explicitly there, not here.

Concretely, edit .github/workflows/publish-provider-package-alt.yml and insert:

permissions:
  contents: read

between the name: and the on: block (or equivalently between on: and jobs:), ensuring indentation is correct for a root‑level key.

Suggested changeset 1
.github/workflows/publish-provider-package-alt.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/publish-provider-package-alt.yml b/.github/workflows/publish-provider-package-alt.yml
--- a/.github/workflows/publish-provider-package-alt.yml
+++ b/.github/workflows/publish-provider-package-alt.yml
@@ -1,5 +1,8 @@
 name: Publish Provider Package Alt
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
     inputs:
EOF
@@ -1,5 +1,8 @@
name: Publish Provider Package Alt

permissions:
contents: read

on:
workflow_dispatch:
inputs:
Copilot is powered by AI and may make mistakes. Always verify output.
@AtzeDeVries AtzeDeVries merged commit 18a62b2 into main Feb 25, 2026
11 checks passed
@AtzeDeVries AtzeDeVries deleted the add-secondary-workflow branch February 25, 2026 15:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pravindahal pravindahal pravindahal approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AtzeDeVries @pravindahal @github-advanced-security