-
Notifications
You must be signed in to change notification settings - Fork 0
Update 8hobbies/workflows digest to 00e8456 #285
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -19,6 +19,6 @@ | |
| tags: ["v*"] | ||
| jobs: | ||
| build: | ||
| uses: 8hobbies/workflows/.github/workflows/npm-publish.yml@7a5030fa297abb7a4eac4a015cc0186fd4809ba7 | ||
| uses: 8hobbies/workflows/.github/workflows/npm-publish.yml@00e84568aa8441faba7d53d88666b78e19c677d7 | ||
| secrets: | ||
| npm-auth-token: ${{ secrets.NPM_TOKEN }} | ||
Check warningCode scanning / CodeQL Workflow does not contain permissions Medium
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
|
||
| Original file line number | Diff line number | Diff line change | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -22,4 +22,4 @@ | ||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||
| jobs: | |||||||||||||||||||||||||||||
| test: | |||||||||||||||||||||||||||||
| uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@7a5030fa297abb7a4eac4a015cc0186fd4809ba7 | |||||||||||||||||||||||||||||
| uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@00e84568aa8441faba7d53d88666b78e19c677d7 | |||||||||||||||||||||||||||||
Check warningCode scanning / CodeQL Workflow does not contain permissions Medium
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
Copilot AutofixAI 24 days ago To fix this problem, you should add an explicit Add the following block immediately after permissions:
contents: readThis ensures jobs run with read-only access and narrows the risk of accidental or malicious modification of repository state. If more permissions are needed by the underlying workflow or specific steps, they can be granted as needed—otherwise, read-only is safest. To implement:
Suggested changeset
1
.github/workflows/runtime.yml
Copilot is powered by AI and may make mistakes. Always verify output.
Refresh and try again.
|
|||||||||||||||||||||||||||||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Copilot Autofix
AI 24 days ago
The best solution is to explicitly set the
permissionskey at the root of the workflow (global level), ensuring that any job (including the delegatedlintjob) runs with only the required permissions. For a linting workflow that checks code but does not need to modify the repo, the minimum safe value is likelycontents: read. This should be added after thename:declaration and before theon:block (i.e., before any jobs or triggers), to reduce token privileges for all jobs unless overwritten.No additional methods, imports, or variable definitions are needed. The only change is to add a YAML block.