Skip to content

Integrate TrustSignal Verify Artifact in workflow #45

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
chrismaz11 wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Integrate TrustSignal Verify Artifact in workflow #45

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9aa9ede
Integrate TrustSignal Verify Artifact in workflow
chrismaz11 Mar 16, 2026
ea8cec7
fix: validate main workflow
chrismaz11 Mar 16, 2026
8bff5cc
fix: align workflow name with context
chrismaz11 Mar 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .github/workflows/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
name: .github/workflows/main.yml

on:
workflow_dispatch:
push:
branches: ["master"]

jobs:
verify-artifact:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Echo placeholder
run: echo "Placeholder TrustSignal verify artifact task"
Comment on lines +10 to +15

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 days ago

In general, the fix is to add an explicit permissions block that grants only the minimum required scopes for GITHUB_TOKEN. For this workflow, the job only checks out the repository and runs a shell command; it does not need write access, so contents: read is sufficient.

The best fix without changing existing functionality is to add a permissions section scoped to the verify-artifact job. This keeps the change minimal and local. At .github/workflows/main.yml, under jobs: verify-artifact:, add:

permissions:
  contents: read

indented correctly so it is a sibling of runs-on. No imports or additional definitions are needed; this is standard GitHub Actions YAML.

Concretely:

  • Edit .github/workflows/main.yml.
  • Locate the verify-artifact job (lines 9–16).
  • Insert a permissions block between runs-on: ubuntu-latest and steps: (or equivalently just after runs-on), at two spaces of indentation under verify-artifact:.
Suggested changeset 1
.github/workflows/main.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -8,6 +8,8 @@
 jobs:
   verify-artifact:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4
EOF
@@ -8,6 +8,8 @@
jobs:
verify-artifact:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@v4
Copilot is powered by AI and may make mistakes. Always verify output.
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Replace placeholder step with real artifact verification

The verify-artifact job never performs any verification because its only task is echo "Placeholder TrustSignal verify artifact task", so this workflow will always pass even when the artifact is missing or invalid. In any push/manual run, this makes the new "Verify Artifact" integration non-functional and removes the intended CI/compliance signal.

Useful? React with 👍 / 👎.

Loading