Potential fix for code scanning alert no. 1: Workflow does not contain permissions#18
Potential fix for code scanning alert no. 1: Workflow does not contain permissions#18albertomandlate merged 3 commits intomainfrom
Conversation
…n permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Este PR ajusta o workflow de CI para mitigar o alerta de code scanning sobre ausência de um bloco permissions, aplicando o princípio de least-privilege ao GITHUB_TOKEN.
Changes:
- Adiciona
permissionsao nível root do workflow. - Define
contents: readcomo permissão padrão para os jobs.
| permissions: | ||
| contents: read | ||
|
|
There was a problem hiding this comment.
Com o permissions limitado a apenas contents: read, o step actions/upload-artifact@v4 tende a falhar por falta de permissões (normalmente requer actions: write para criar/upload de artifacts). Para manter least-privilege sem quebrar o CI, adicione actions: write (ou defina permissions no job build-and-test apenas para actions: write + contents: read).
|
@copilot apply changes based on the comments in this thread |
Agent-Logs-Url: https://github.com/SimansoftMZ/BridgeBank/sessions/515b29be-e413-4608-953f-bb504600e0ac Co-authored-by: albertomandlate <14326204+albertomandlate@users.noreply.github.com>
Ajustei o workflow conforme a thread: adicionei |
| permissions: | ||
| contents: read | ||
| actions: write |
There was a problem hiding this comment.
O bloco permissions adicionado não corresponde ao que foi descrito no PR ("minimal ... contents: read"): aqui também está a conceder actions: write. Se actions: write é necessário (ex.: para actions/upload-artifact), convém justificar/atualizar a descrição. Alternativamente, para manter o princípio de menor privilégio na raiz, deixe apenas contents: read no root e mova actions: write para jobs.build-and-test.permissions (apenas no job que realmente precisa).
|
@copilot apply changes based on the comments in this thread |
Agent-Logs-Url: https://github.com/SimansoftMZ/BridgeBank/sessions/70e32fe2-f68c-46bc-9c6b-43dfd95c1d8d Co-authored-by: albertomandlate <14326204+albertomandlate@users.noreply.github.com>
Feito. Mantive |
Potential fix for https://github.com/SimansoftMZ/BridgeBank/security/code-scanning/1
Add an explicit
permissionsblock at the workflow root so all jobs inherit least-privilege token access unless overridden. For this workflow, the minimal and appropriate setting is:contents: readThis supports
actions/checkoutand typical CI operations without granting unnecessary write scopes. No new imports, methods, or dependencies are needed (YAML workflow change only).Edit
.github/workflows/ci.ymlby inserting thepermissionssection between the existingconcurrencyblock andjobsblock (or anywhere at root level), preserving indentation and current behavior.Suggested fixes powered by Copilot Autofix. Review carefully before merging.