Conversation
srikanthlogic
commented
Feb 11, 2026
srikanthlogic
commented
- Postman to Bruno
- Technical debt clearance
- MCP Server
- Agent Skills
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 18 | ||
|
|
||
| - name: Check out repository code and Install | ||
| uses: actions/checkout@v4 | ||
| - run: npm install | ||
| - run: npm run generateoas | ||
| - run: npm start & npx wait-on http://localhost:3000 | ||
| - run: npm test |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 23 days ago
In general, this issue is fixed by adding an explicit permissions block that scopes the GITHUB_TOKEN to the least privileges required. This can be done either at the workflow root (applies to all jobs) or within the specific job. Since this workflow has a single job and appears to only need read access to clone the repository, contents: read is sufficient as a minimal starting point.
The best fix without changing existing functionality is to add a permissions section at the workflow root, directly under the name: (or on:) key. This will apply to all jobs (currently only bruno) and ensure the GITHUB_TOKEN is restricted to repository contents read access, which is enough for actions/checkout and typical Node-based CI steps. No additional imports, methods, or definitions are required—this is purely a YAML configuration change in .github/workflows/bruno.yml, around lines 1–4, adding:
permissions:
contents: read| @@ -1,5 +1,8 @@ | ||
| name: Bruno Run | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| push: |
1 participant
