Skip to content

Potential fix for code scanning alert no. 504: Workflow does not contain permissions#62

Merged
mariofix merged 1 commit intomainfrom
alert-autofix-504
Mar 1, 2026
Merged

Potential fix for code scanning alert no. 504: Workflow does not contain permissions#62
mariofix merged 1 commit intomainfrom
alert-autofix-504

Conversation

@mariofix
Copy link
Copy Markdown
Owner

@mariofix mariofix commented Mar 1, 2026

Potential fix for https://github.com/mariofix/pyflowcl/security/code-scanning/504

In general, the fix is to explicitly restrict the GITHUB_TOKEN permissions in the workflow by adding a permissions: block, either at the root (applying to all jobs) or within the tests job. Since this workflow only checks out code, runs tests, uploads coverage to external services, and uploads an artifact, it only needs read access to repository contents. No steps require write access to issues, pull requests, or repository contents.

The best fix without changing functionality is to add a root-level permissions: block immediately after the name: line, setting contents: read. This will apply to all jobs (currently just tests) that do not override permissions and will satisfy CodeQL’s requirement for explicit, least-privilege configuration. No imports or additional methods are needed because this is a YAML configuration change only.

Concretely:

  • Edit .github/workflows/tests_coverage.yml.
  • After line 1: name: Tests&Coverage, insert:
permissions:
  contents: read

This keeps the workflow behavior identical while ensuring the GITHUB_TOKEN cannot write to repository contents by default.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@mariofix @github-advanced-security
Potential fix for code scanning alert no. 504: Workflow does not cont…
08281e6 
…ain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Mario Hernandez <mariofix@proton.me>
@mariofix mariofix marked this pull request as ready for review March 1, 2026 06:16
@mariofix mariofix merged commit fb9c59a into main Mar 1, 2026
6 of 10 checks passed
@mariofix mariofix deleted the alert-autofix-504 branch March 1, 2026 06:16
@codacy-production
Copy link
Copy Markdown

codacy-production bot commented Mar 1, 2026
edited
Loading

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation Diff coverage
+0.00% (target: -1.00%)
Coverage variation details
Coverable lines Covered lines Coverage
Common ancestor commit (f7aeb52) 213 207 97.18%
Head commit (08281e6) 213 (+0) 207 (+0) 97.18% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details
Coverable lines Covered lines Diff coverage
Pull request (#62) 0 0 ∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

@coveralls
Copy link
Copy Markdown

coveralls commented Mar 1, 2026

Coverage Status

coverage: 97.333%. remained the same
when pulling 08281e6 on alert-autofix-504
into f7aeb52 on main.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mariofix @coveralls