Potential fix for code scanning alert no. 79: Workflow does not contain permissions#149
Potential fix for code scanning alert no. 79: Workflow does not contain permissions#149
Conversation
…in permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
…in permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit f4f1e32. Configure here.
|
|
||
| permissions: | ||
| contents: write | ||
| actions: write |
There was a problem hiding this comment.
Unnecessary actions: write permission violates least privilege
Low Severity
The actions: write permission is granted but not needed by any step in this workflow. Standard actions/cache@v4 save/restore operations use the ACTIONS_RUNTIME_TOKEN internally, not the GITHUB_TOKEN, so they don't require actions: write. That permission is only needed for cache deletion via gh cache delete or the REST API, which this workflow doesn't do. Since the PR's stated goal is to apply least-privilege permissions, granting actions: write unnecessarily widens the attack surface by allowing the token to cancel workflow runs, delete artifacts, and manage workflow dispatch events.
Reviewed by Cursor Bugbot for commit f4f1e32. Configure here.
1 participant
Potential fix for https://github.com/devld/go-drive/security/code-scanning/79
Add an explicit
permissionsblock to the workflow (or this job) with least privileges needed by the existing steps.Best single fix here: define workflow-level permissions right after
on:(beforejobs:) so all jobs inherit it consistently.For this workflow:
contents: writeis needed for creating GitHub releases and uploading release assets.actions/cachemay requireactions: writefor cache save/restore in many setups.So update
.github/workflows/release.ymlby inserting:between the trigger section and
jobs:.Suggested fixes powered by Copilot Autofix. Review carefully before merging.
Note
Low Risk
Low risk: only tightens/declares GitHub Actions token permissions for existing workflows, which may require minor adjustment if any step implicitly needed additional scopes.
Overview
Adds explicit workflow-level
permissionsblocks to address code-scanning guidance.docker-image.ymlnow declarescontents: read, andrelease.ymldeclarescontents: writeplusactions: writeso jobs run with explicitly scopedGITHUB_TOKENaccess.Reviewed by Cursor Bugbot for commit f4f1e32. Bugbot is set up for automated code reviews on this repo. Configure here.