Skip to content

Potential fix for code scanning alert no. 5: Workflow does not contain permissions #874

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
lenucksi wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Potential fix for code scanning alert no. 5: Workflow does not contain permissions #874

lenucksi wants to merge 1 commit into from

Conversation

@lenucksi
Copy link
Member

@lenucksi lenucksi commented Nov 25, 2025

Potential fix for https://github.com/InnerSourceCommons/InnerSourcePatterns/security/code-scanning/5

To fix the problem, we should add a permissions block to the workflow file .github/workflows/book.yml. The block should be added at the workflow root (top-level, after name: and before jobs:), so the permissions apply to all jobs in the workflow. The least privilege required is contents: write so the job can push changes to the repo (required by the auto-commit step). Other permissions (such as pull-requests: write) are not required for this workflow, as it does not modify pull requests or other resources. The block should be added after the workflow name: and before the jobs: key (best practice is before any uses of the jobs).

No imports or additional methods/definitions are needed; it's a change to the workflow configuration only.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@lenucksi @github-advanced-security
Potential fix for code scanning alert no. 5: Workflow does not contai…
77bb5df 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-actions github-actions bot mentioned this pull request Dec 1, 2025
Open
@spier
Copy link
Member

spier commented Dec 16, 2025

hi @lenucksi. As this was suggested by Copilot, how would you go about testing if this works?

We could merge to main, and then check if (a) the workflow still runs, and (b) the code scanning alert goes away?
And if something breaks, we roll back?

I don't know of other ways to test github actions locally.

@spier spier added the Type - Maintenance / Cleanup Maintaining / cleaning the repo is the main focus of this issue / PR label Dec 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NewMexicoKid NewMexicoKid Awaiting requested review from NewMexicoKid NewMexicoKid will be requested when the pull request is marked ready for review NewMexicoKid is a code owner

@cewilliams cewilliams Awaiting requested review from cewilliams cewilliams will be requested when the pull request is marked ready for review cewilliams is a code owner

@spier spier Awaiting requested review from spier spier will be requested when the pull request is marked ready for review spier is a code owner

@robtuley robtuley Awaiting requested review from robtuley robtuley will be requested when the pull request is marked ready for review robtuley is a code owner

@yuhattor yuhattor Awaiting requested review from yuhattor yuhattor will be requested when the pull request is marked ready for review yuhattor is a code owner

Assignees

No one assigned

Labels

Type - Maintenance / Cleanup Maintaining / cleaning the repo is the main focus of this issue / PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lenucksi @spier