Conversation
kubestellar-prow
bot
added
the
dco-signoff: no
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits. 📝 Please follow instructions in the contributing guide to update your commits with the DCO Full details of the Developer Certificate of Origin can be found at developercertificate.org. The list of commits missing DCO signoff:
DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
kubestellar-prow
bot
added
the
size/L
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| uses: kubestellar/infra/.github/workflows/reusable-scorecard.yml@main | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix the problem, explicitly declare permissions so that the GITHUB_TOKEN granted to this workflow/job is minimized instead of inheriting potentially read‑write defaults. For a read‑only analysis workflow that invokes a scorecard check, the usual baseline is contents: read at the workflow root, which applies to all jobs unless overridden.
The best fix without changing existing functionality is to add a permissions block at the top level of .github/workflows/scorecard.yml, immediately after the name: line (or anywhere at the root level, before jobs:). This will ensure the analysis job runs with read‑only access to repository contents, which is sufficient for security/scorecard analysis and avoids unnecessary write privileges. No imports or additional methods are required, since this is just a YAML configuration change.
Concretely:
- Edit
.github/workflows/scorecard.yml. - Insert:
permissions:
contents: read- Place it between line 1 (
name: OpenSSF Scorecard) and theon:block at line 3 (or equivalently between the blank line following the name andon:), keeping indentation consistent.
| @@ -1,5 +1,8 @@ | ||
| name: OpenSSF Scorecard | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| branch_protection_rule: | ||
| schedule: |
|
🎉 Thank you for your contribution! Your PR has been successfully merged. 🌟 Help KubeStellar Grow - We Need Adopters! Our roadmap is driven entirely by adopter feedback - nothing else. Whether you're using KubeStellar yourself or know organizations that could benefit from multi-cluster Kubernetes, we need your help: 📋 Take our Multi-Cluster Survey - Share your use cases and help shape our direction! 🗣️ Spread the word - Tell colleagues, write blog posts, present at meetups 💬 Share feedback on Slack #kubestellar-dev Every adopter story helps us prioritize what matters most. Thank you for being part of the KubeStellar community! |
clubanderson
added
the
kind/cleanup
3 participants
This PR syncs the caller workflows from
kubestellar/.github.These workflows call reusable workflows from
kubestellar/infra:add-help-wanted.ymlassignment-helper.ymlfeedback.ymlgreetings.ymllabel-helper.ymlpr-verifier.ymlpr-verify-title.ymlscorecard.yml🤖 Auto-generated by workflow sync