Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Install Power Platform Tools | ||
| uses: microsoft/powerplatform-actions/actions-install@v1 | ||
| with: | ||
| pac-version-override: 2.4.1 No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 25 days ago
In general, the fix is to explicitly declare a permissions block for the workflow or the specific job so that GITHUB_TOKEN has only the minimal required scopes. For a simple job that just installs tooling and does not interact with repository contents, a fully read‑only or even permissions: {} configuration is usually sufficient. Since we cannot see any additional steps that might need write access, the safest non‑disruptive minimal starting point recommended by GitHub is permissions: contents: read.
The best way to fix this specific workflow without changing behavior is to add a top‑level permissions block (applies to all jobs) directly under the on: section. This avoids modifying the job structure and clearly documents the default permissions. We will add:
permissions:
contents: readbetween the on: block and the jobs: block in .github/workflows/fic-auth.yml. No imports or additional methods are needed, as this is pure YAML configuration for GitHub Actions.
| @@ -3,6 +3,9 @@ | ||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| who-am-i: | ||
|
|
3 participants
No description provided.