Update 8hobbies/workflows digest to abd9589 #209
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| jobs: | ||
| lint: | ||
| uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@00e84568aa8441faba7d53d88666b78e19c677d7 | ||
| uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@abd958951e5f7fe9cdc2b25bf6686a4ba5b5c47e |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 days ago
In general, to fix this issue you add an explicit permissions: block either at the workflow root (applies to all jobs) or under the specific job. For a lint job that just checks code, contents: read is typically sufficient, and you can tighten further if you know it needs even less. This ensures the GITHUB_TOKEN cannot be used to perform unintended write operations.
For this specific workflow in .github/workflows/lint.yml, the simplest and least disruptive fix is to add a minimal permissions: block at the top workflow level, just below name: Lint (before on:). That will apply to the lint job since it has no overriding permissions. We will set permissions: contents: read, which is a safe default for read‑only operations like linting. No imports or additional methods are needed because this is a YAML configuration change only.
| @@ -17,6 +17,9 @@ | ||
|
|
||
| name: Lint | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: ["master"] |
This PR contains the following updates:
00e8456->abd9589Configuration
📅 Schedule: Branch creation - "on Sunday" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.