feat: add agent metadata action - step 2#3450
Conversation
github-actions
bot
added
the
community
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
.github/workflows/release.yml
Dismissed
| needs: [release] | ||
| uses: ./.github/workflows/AgentMetadata.yml | ||
| with: | ||
| version: ${{ github.event.release.tag_name }} | ||
| secrets: | ||
| FC_SYS_ID_CLIENT_ID: ${{ secrets.FC_SYS_ID_CLIENT_ID }} | ||
| FC_SYS_ID_PR_KEY: ${{ secrets.FC_SYS_ID_PR_KEY }} | ||
| APM_CONTROL_NR_LICENSE_KEY_STAGING: ${{ secrets.APM_CONTROL_NR_LICENSE_KEY_STAGING }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 days ago
In general, the problem is fixed by explicitly adding a permissions: block to the job (or at the workflow root) so that the GITHUB_TOKEN has only the minimal privileges required. Each job that lacks permissions: should be given explicit, least‑privilege settings instead of relying on repository defaults.
For this specific case, we should add a permissions: block under the update-agent-metadata job. Since this job only invokes a reusable workflow and we have no evidence it needs write access in this file, we can safely set the token to read‑only at the job level. A minimal, generic read‑only configuration often used is contents: read. If the reusable workflow actually requires additional write scopes, they should be added there; but we cannot see that file, so we keep changes here minimal and non‑breaking by granting only read access from this workflow. Concretely, in .github/workflows/release.yml, under the update-agent-metadata: job definition (currently starting at line 64), insert:
permissions:
contents: readusing the correct indentation (aligned with needs: and uses:). No imports or additional methods are needed; this is purely a YAML configuration change.
| @@ -63,6 +63,8 @@ | ||
|
|
||
| update-agent-metadata: | ||
| needs: [release] | ||
| permissions: | ||
| contents: read | ||
| uses: ./.github/workflows/AgentMetadata.yml | ||
| with: | ||
| version: ${{ github.event.release.tag_name }} |
There was a problem hiding this comment.
the permissions are in the AgentMetadata.yml file
SimpleCov Report
|
2 participants
Overview
This PR completes the ability for the NR agent team to send agent metadata to New Relic for use in fleets and other features. This will be triggered normally during a release, but if it fails, it will not fail the release. It can also be run on-demand for backfilling older agent versions, to make corrections, or to re-run the job after a failure.
GH action info: https://github.com/newrelic/agent-metadata-action/blob/main/README.md
Submitter Checklist:
Testing
This work has been tested manually in: #3448
Reviewer Checklist