Skip to content

fix(validate.yml): add explicit permissions (closes CodeQL #9 #12)#35

Merged
jfreed-dev merged 1 commit into
mainfrom
fix/9-12-validate-permissions
May 18, 2026
Merged

fix(validate.yml): add explicit permissions (closes CodeQL #9 #12)#35
jfreed-dev merged 1 commit into
mainfrom
fix/9-12-validate-permissions

Conversation

@jfreed-dev

Copy link
Copy Markdown
Member

Closes the two open CodeQL actions/missing-workflow-permissions alerts on .github/workflows/validate.yml. Adds permissions: contents: read at workflow scope — the workflow only does fmt/validate/tflint/trivy, no writes.

Closes CodeQL alerts #9 and #12 (actions/missing-workflow-permissions).

The validate workflow only checks out the repo and runs
terraform fmt/validate + tflint + trivy. No commits, no PR comments,
no deploys. Read-only on contents is sufficient.

Other workflows already had explicit permissions blocks:
- dependabot-auto-merge: contents:write, pull-requests:write
- docs: contents:write (for auto-commit of generated READMEs)
- security: contents:read, security-events:write
@jfreed-dev jfreed-dev merged commit 316246f into main May 18, 2026
18 checks passed
@jfreed-dev jfreed-dev deleted the fix/9-12-validate-permissions branch May 18, 2026 14:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant