Skip to content

Potential fix for code scanning alert no. 2: Workflow does not contain permissions#7

Merged
randallmorse merged 1 commit into
mainfrom
alert-autofix-2
Sep 30, 2025
Merged

Potential fix for code scanning alert no. 2: Workflow does not contain permissions#7
randallmorse merged 1 commit into
mainfrom
alert-autofix-2

Conversation

@randallmorse

Copy link
Copy Markdown
Contributor

Potential fix for https://github.com/lets-qa/test-runner/security/code-scanning/2

The best way to fix the problem is to explicitly specify the least permissions required for the job by adding a permissions block to the workflow. Since the job only checks out code and builds a Docker image (no steps that interact with PRs, issues, or write to the repository), the minimal permission needed is contents: read. This should be set either at the workflow root (to apply to all jobs unless overridden) or to each job that doesn't already specify permissions.

The required edit is to add the following at the root level, underneath the name: and before the on: block in .github/workflows/arm64-docker-image.yml:

permissions:
  contents: read

This requires no additional imports, definitions, or further changes.


Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@randallmorse randallmorse marked this pull request as ready for review September 30, 2025 23:25

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds explicit permissions to the GitHub Actions workflow to address a code scanning security alert. The change implements the principle of least privilege by specifying minimal required permissions for the workflow.

  • Adds permissions block with contents: read to the ARM64 Docker image workflow
  • Addresses security alert by explicitly limiting workflow permissions to only what's needed

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@randallmorse randallmorse merged commit cb36622 into main Sep 30, 2025
4 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants