1.0.8.3 code #66
1.0.8.3 code #66
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| description: 'The platforms for which the Docker image should be built. If not specified, defaults to linux/amd64.' | ||
| required: false | ||
| default: 'linux/amd64' | ||
| jobs: | ||
| build-push: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To resolve this issue, explicitly define the permissions: block at the root of the workflow in .github/workflows/manual-build.yml. This ensures that the minimal necessary privileges are granted by the GITHUB_TOKEN during workflow execution. As a starting point, if the workflow’s only requirement is to read from the repository or push to pull requests, set contents: read (and add others only if needed). Since the current workflow delegates to a reusable workflow, and there are no direct steps in this workflow file, contents: read is a safe minimal baseline unless you know more privileges are required.
Steps:
- At the top (after
name:is standard), insert apermissions:block specifying minimally required permissions, for instance:permissions: contents: read - This change should be made in
.github/workflows/manual-build.ymlbefore theon:block for clarity and inheritance.
| @@ -1,5 +1,7 @@ | ||
| --- | ||
| name: Manual Build & Push | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| workflow_dispatch: | ||
| inputs: |
| if: github.base_ref == 'develop' && github.event.pull_request.merged == false | ||
| uses: kbase/.github/.github/workflows/reusable_build.yml@main | ||
| with: | ||
| platforms: "linux/amd64" | ||
| secrets: inherit | ||
| build-develop-merge: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To remediate the problem, the workflow file .github/workflows/pr_build.yml should define a permissions block at either the global (workflow) scope or for each individual job. The least privilege setting, unless jobs require specific write access, is typically contents: read. Since this workflow appears to interact with PRs (labels such as "Tag", "Push", and the use of PR events), it is safest to grant contents: read globally. If specific jobs require write permissions for actions like tagging or merging, their associated jobs can be modified later, but the recommended minimum is:
permissions:
contents: readThis should be added at the workflow root (just after the name: or on: key), so that all jobs default to these permissions unless specifically overridden. No changes to imports or other definitions are needed.
| @@ -1,5 +1,7 @@ | ||
| --- | ||
| name: Pull Request Build, Tag, & Push | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| pull_request: | ||
| branches: |
| if: github.base_ref == 'develop' && github.event.pull_request.merged == true | ||
| uses: kbase/.github/.github/workflows/reusable_build-push.yml@main | ||
| with: | ||
| name: '${{ github.event.repository.name }}-develop' | ||
| tags: pr-${{ github.event.number }},latest | ||
| platforms: "linux/amd64" | ||
| secrets: inherit | ||
| build-main-open: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the problem, we must add a permissions block to the workflow so that the permissions granted to the GITHUB_TOKEN are restricted according to the principle of least privilege. Ideally, this should be added at the top/root of the workflow, just below the name or before on, so it applies to all jobs unless overridden by specific jobs.
For most build/test workflows that do not require write-level tokens, the minimal default is usually:
permissions:
contents: readIf the workflow (or any called workflow) needs to create or comment on pull requests, pull-requests: write can also be allowed. But as a minimal fix per the prompt, we will set:
permissions:
contents: readThis can later be adjusted as needed if more is required, but starting with a minimal read-only approach is best.
Summary of Change:
Edit .github/workflows/pr_build.yml and insert
permissions:
contents: readimmediately after the name field (after line 2, before line 3 in the snippet).
| @@ -1,5 +1,7 @@ | ||
| --- | ||
| name: Pull Request Build, Tag, & Push | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| pull_request: | ||
| branches: |
| if: (github.base_ref == 'main' || github.base_ref == 'master') && github.event.pull_request.merged == false | ||
| uses: kbase/.github/.github/workflows/reusable_build-push.yml@main | ||
| with: | ||
| name: '${{ github.event.repository.name }}' | ||
| tags: pr-${{ github.event.number }} | ||
| platforms: "linux/amd64" | ||
| secrets: inherit | ||
| build-main-merge: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the problem, you should add a permissions block at the root level of the workflow. The minimal and recommended way is to set all permissions to read by default. This means adding the following at the top (after the name: declaration and before on:):
permissions:
contents: readIf you later find that a particular job requires additional permissions (such as pull-requests: write), you can override it at the relevant job level. However, based on the provided code, there is no explicit sign that more than contents: read is required, so this is a safe least-privilege fix.
How to implement:
- Edit
.github/workflows/pr_build.yml. - Add the following block after the
name:label and before theon:block. - No other changes (such as job-level overrides or added imports) are required, since YAML workflows are declarative.
| @@ -1,5 +1,7 @@ | ||
| --- | ||
| name: Pull Request Build, Tag, & Push | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| pull_request: | ||
| branches: |
| if: (github.base_ref == 'main' || github.base_ref == 'master') && github.event.pull_request.merged == true | ||
| uses: kbase/.github/.github/workflows/reusable_build-push.yml@main | ||
| with: | ||
| name: '${{ github.event.repository.name }}' | ||
| tags: pr-${{ github.event.number }},latest-rc | ||
| platforms: "linux/amd64" | ||
| secrets: inherit | ||
| trivy-scans: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix this issue, add a permissions block at the top of the workflow (global/root-level, immediately after the name: field and before the on: field). This will explicitly limit the permissions of the GITHUB_TOKEN for all jobs in the workflow, unless a job manually overrides them. The best practice is to grant only the minimal privileges required. For build/test-only workflows, contents: read is often sufficient. For push/tag/PR-related workflows, you may need write permissions on specific scopes, but if most jobs only need read-only access, start with contents: read as a baseline. Since the workflow does builds, pushes, and tags, you might need contents: write and possibly packages: write. However, for minimal starting point and best-practice alignment, start with contents: read, and escalate only when required.
Change to be made:
- Insert a block:
(or extend with permissions actually needed such as
permissions: contents: read
packages: write,pull-requests: write, etc if required by actual reusable workflow steps).
Make this change in .github/workflows/pr_build.yml, between name: and on:.
You do not need to modify any code outside this snippet.
| @@ -1,5 +1,7 @@ | ||
| --- | ||
| name: Pull Request Build, Tag, & Push | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| pull_request: | ||
| branches: |
| if: (github.base_ref == 'develop' || github.base_ref == 'main' || github.base_ref == 'master' ) && github.event.pull_request.merged == false | ||
| uses: kbase/.github/.github/workflows/reusable_trivy-scans.yml@main | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
| uses: kbase/.github/.github/workflows/reusable_validate-branch.yml@main | ||
| with: | ||
| build_branch: '${{ github.event.release.target_commitish }}' | ||
| validate-release-tag: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the problem, an explicit permissions block should be added to the workflow YAML file. The block can be added either at the top-level (to apply to all jobs) or on each job individually. The minimal recommended change is to add the block at the root of the workflow after the name: and before on:, configuring it with least privileges necessary for your workflow. Commonly, setting contents: read suffices for most release processes—if you need to write to pull requests, also add pull-requests: write. In this context, since all jobs use reusable workflows and appear to be only handling release, minimal permissions should suffice. Add the following block (adjust as needed):
permissions:
contents: readInsert this after the name: line (line 2) in .github/workflows/release-main.yml.
| @@ -1,5 +1,7 @@ | ||
| --- | ||
| name: Release - Build & Push Image | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| release: | ||
| branches: |
| needs: check-source-branch | ||
| uses: kbase/.github/.github/workflows/reusable_validate-release-tag.yml@main | ||
| with: | ||
| release_tag: '${{ github.event.release.tag_name }}' | ||
| build-push: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix this issue, you should add a permissions key at the top level of the workflow YAML file (.github/workflows/release-main.yml). This key should specify the least-privileged set of permissions needed for the workflow. Unless you know of specific requirements, typically for release and build/push operations, "contents: read" is safe, but if any step needs to write to pull requests or issues, you should explicitly enable only those granular permissions. You can start with:
permissions:
contents: readIf further permissions are needed for specific jobs, you can override them by adding a permissions block for those jobs. For this initial fix, add the above block at the top-level of the workflow immediately after the name: key (line 2).
| @@ -1,5 +1,7 @@ | ||
| --- | ||
| name: Release - Build & Push Image | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| release: | ||
| branches: |
| needs: validate-release-tag | ||
| uses: kbase/.github/.github/workflows/reusable_build-push.yml@main | ||
| with: | ||
| name: '${{ github.event.repository.name }}' | ||
| tags: '${{ github.event.release.tag_name }},latest' | ||
| platforms: "linux/amd64" | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
The best way to fix this issue is to add an explicit permissions: block to the root of the workflow file, restricting permissions to the minimum necessary for the jobs to execute successfully. Since this workflow is triggered on release events and calls other reusable workflows that likely handle release, tag, and build actions, the most restrictive sensible minimal permissions set is likely contents: read (for reading repository contents and metadata) and possibly packages: write or pull-requests: write if publishing images or updating pull requests is required. If you're unsure, start with just contents: read and expand as jobs fail due to lack of permissions. The change should be made near the top of .github/workflows/release-main.yml, immediately following the name: field and before on:.
| @@ -1,5 +1,7 @@ | ||
| --- | ||
| name: Release - Build & Push Image | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| release: | ||
| branches: |
No description provided.