Conversation
chrmarti
force-pushed
the
chrmarti/prime-haddock
branch
from
1f70d97 to
8e4eebc
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
|
|
||
| - name: List template images | ||
| run: npx tsx build/list-template-images.ts | ||
|
|
||
| - uses: actions/checkout@v5 | ||
| with: | ||
| repository: devcontainers/images | ||
| fetch-depth: 0 | ||
| path: images | ||
|
|
||
| - name: Check out last release tag | ||
| run: | | ||
| cd images | ||
| tag=$(git describe --tags --abbrev=0) | ||
| echo "Checking out tag: $tag" | ||
| git checkout "$tag" | ||
|
|
||
| - name: Check image tags (last release) | ||
| run: npx tsx build/check-image-tags.ts images | ||
|
|
||
| check-image-tags-latest: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
To fix the problem, explicitly declare restricted GITHUB_TOKEN permissions in the workflow. The least-invasive and clearest approach is to add a permissions: block at the top (root) of the workflow so that all jobs inherit minimal permissions, unless overridden. Since all shown jobs only check out code and run local tools/scripts, contents: read is a suitable minimal starting point.
Concretely, edit .github/workflows/test-pr.yaml near the top: after the name: and on: block, add a root-level permissions: section with contents: read. This will apply to detect-changes, test, check-image-tags, and check-image-tags-latest without altering any other behavior. No additional imports, tools, or code changes are needed because permissions is native GitHub Actions syntax.
| @@ -2,6 +2,9 @@ | ||
| on: | ||
| pull_request: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| detect-changes: | ||
| runs-on: ubuntu-latest |
| runs-on: ubuntu-latest | ||
| continue-on-error: true | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
|
|
||
| - uses: actions/checkout@v5 | ||
| with: | ||
| repository: devcontainers/images | ||
| path: images | ||
|
|
||
| - name: Check image tags (latest) | ||
| run: npx tsx build/check-image-tags.ts images |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
In general, the problem is fixed by explicitly declaring a permissions: block to restrict the GITHUB_TOKEN to the minimal required scopes. For workflows that only need to read repository contents, permissions: contents: read at the workflow root (or per job) is usually sufficient.
For this specific workflow in .github/workflows/test-pr.yaml, all shown jobs (detect-changes, test, check-image-tags, check-image-tags-latest) only check out code and run local commands/scripts. None of them push commits, create releases, or modify issues/PRs, so they only need read access to repository contents. The best minimal, non‑breaking change is to add a single top‑level permissions: block with contents: read so that all jobs inherit read-only access. This also directly addresses the CodeQL warning on the check-image-tags-latest job (line 177) because that job will now have an explicit limited token scope.
Concretely:
- Edit
.github/workflows/test-pr.yaml. - Insert a top‑level
permissions:section after thename:(beforeon:) or afteron:; YAML only cares about correct indentation and structure. - Set:
permissions: contents: read
No additional imports, methods, or definitions are needed since this is only a workflow configuration change.
| @@ -1,4 +1,6 @@ | ||
| name: "PR - Test Updated Templates" | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| pull_request: | ||
|
|
1 participant
No description provided.