Skip to content

Workflows #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rerpha merged 6 commits into from
Jun 30, 2025
Merged

Workflows #13

rerpha merged 6 commits into from
Jun 30, 2025

Conversation

@rerpha
Copy link
Collaborator

@rerpha rerpha commented Jun 30, 2025

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 30, 2025
View reviewed changes
.github/workflows/python-publish.yml
Comment on lines 5 to 8
if: github.ref_type == 'tag'
name: Run linter and tests
uses: ./.github/workflows/Lint-and-test.yml
build:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{}}

Copilot Autofix

AI 6 months ago

To fix the issue, we will add a permissions block to the lint-and-test job. Since this job does not appear to require write access, we will set the permissions to contents: read, which is the minimal required permission for most workflows. This change ensures that the job has only the access it needs, reducing the risk of misuse.

Suggested changeset 1
.github/workflows/python-publish.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
--- a/.github/workflows/python-publish.yml
+++ b/.github/workflows/python-publish.yml
@@ -5,2 +5,4 @@
     if: github.ref_type == 'tag'
+    permissions:
+      contents: read
     name: Run linter and tests
EOF
@@ -5,2 +5,4 @@
if: github.ref_type == 'tag'
permissions:
contents: read
name: Run linter and tests
Copilot is powered by AI and may make mistakes. Always verify output.
@rerpha rerpha committed this autofix suggestion 6 months ago.
.github/workflows/python-publish.yml
Comment on lines +9 to +33
needs: lint-and-test
if: github.ref_type == 'tag'
name: build distribution
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- uses: actions/setup-python@v5
with:
python-version: "3.x"

- name: Build release distributions
run: |
# NOTE: put your own distribution build steps here.
python -m pip install build
python -m build
- name: Upload distributions
uses: actions/upload-artifact@v4
with:
name: release-dists
path: dist/

pypi-publish:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Install pypa/build
run: >-
python3 -m
pip install
build
--user
- name: Build a binary wheel and a source tarball
run: python3 -m build
- name: Store the distribution packages
uses: actions/upload-artifact@v4
with:
name: python-package-distributions
path: dist/
publish-to-pypi:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the issue, we need to add explicit permissions blocks to the lint-and-test and build jobs. These permissions should be scoped to the minimum required for the jobs to function correctly. Since these jobs do not appear to require write access, we can set contents: read as the minimal permission.

  • Add a permissions block to the lint-and-test job, specifying contents: read.
  • Add a permissions block to the build job, specifying contents: read.
Suggested changeset 1
.github/workflows/python-publish.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
--- a/.github/workflows/python-publish.yml
+++ b/.github/workflows/python-publish.yml
@@ -6,2 +6,4 @@
     name: Run linter and tests
+    permissions:
+      contents: read
     uses: ./.github/workflows/Lint-and-test.yml
@@ -12,2 +14,4 @@
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
EOF
@@ -6,2 +6,4 @@
name: Run linter and tests
permissions:
contents: read
uses: ./.github/workflows/Lint-and-test.yml
@@ -12,2 +14,4 @@
runs-on: ubuntu-latest
permissions:
contents: read

Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
rerpha and others added 2 commits June 30, 2025 11:53
@rerpha @github-advanced-security
Potential fix for code scanning alert no. 1: Workflow does not contai…
621b647 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@rerpha
test
7b59278
@rerpha rerpha marked this pull request as ready for review June 30, 2025 10:54
@rerpha rerpha merged commit c53fb93 into main Jun 30, 2025
7 checks passed
@rerpha rerpha deleted the workflows branch June 30, 2025 10:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rerpha