Skip to content

Update 8hobbies/workflows digest to abd9589 #288

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
renovate merged 1 commit into from
Dec 28, 2025
Merged

Update 8hobbies/workflows digest to abd9589 #288

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,4 @@

jobs:
lint:
uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@00e84568aa8441faba7d53d88666b78e19c677d7
uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@abd958951e5f7fe9cdc2b25bf6686a4ba5b5c47e

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 12 days ago

In general, this problem is fixed by explicitly declaring a permissions block either at the root of the workflow (to apply to all jobs) or inside the specific job that uses the GITHUB_TOKEN. For a lint workflow that only needs to fetch code and run checks, contents: read is typically sufficient. This constrains GITHUB_TOKEN to read-only access to repository contents, rather than inheriting potentially broader read-write defaults.

The single best fix here, without changing functionality, is to add a root-level permissions block just after the name: line (or before jobs:) in .github/workflows/lint.yml, specifying contents: read. A root-level block will apply to the lint job unless that job or the called reusable workflow requests narrower permissions. Since this workflow appears only to run linting via a reusable workflow, read-only repository contents access is appropriate and should not break existing behavior.

Concretely:

  • Edit .github/workflows/lint.yml.

  • Insert:

    permissions:
  contents: read

    between the name: Lint line and the on: block. No imports or additional methods are needed, as this is pure YAML configuration.

Suggested changeset 1
.github/workflows/lint.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -14,6 +14,9 @@
 
 name: Lint
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: ["master"]
EOF
@@ -14,6 +14,9 @@

name: Lint

permissions:
contents: read

on:
push:
branches: ["master"]
Copilot is powered by AI and may make mistakes. Always verify output.
2 changes: 1 addition & 1 deletion .github/workflows/pages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,4 +25,4 @@ jobs:
permissions:
pages: write
id-token: write
uses: 8hobbies/workflows/.github/workflows/npm-doc-pages.yml@00e84568aa8441faba7d53d88666b78e19c677d7
uses: 8hobbies/workflows/.github/workflows/npm-doc-pages.yml@abd958951e5f7fe9cdc2b25bf6686a4ba5b5c47e
2 changes: 1 addition & 1 deletion .github/workflows/publish-dry-run.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,4 @@

jobs:
run:
uses: 8hobbies/workflows/.github/workflows/npm-publish-dry-run.yml@00e84568aa8441faba7d53d88666b78e19c677d7
uses: 8hobbies/workflows/.github/workflows/npm-publish-dry-run.yml@abd958951e5f7fe9cdc2b25bf6686a4ba5b5c47e

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 12 days ago

Generally, the fix is to add an explicit permissions block that limits the default GITHUB_TOKEN scope to the minimum required. This can be declared either at the workflow root (applies to all jobs) or under the specific job. Since this workflow only has a single run job and delegates to another workflow, the cleanest approach is to set permissions at the workflow root so any future jobs also inherit restricted permissions by default.

Concretely, in .github/workflows/publish-dry-run.yml, insert a permissions: section between the name: and on: keys. For a publish dry run that should only need to read repository contents and metadata for dependency installation and tests, contents: read is a safe starting point. If the called workflow truly needs broader permissions (e.g., to write to packages or create releases), those can be further specialized in the called workflow itself; the local workflow does not need to grant write permissions unless explicitly required. No imports or additional methods are necessary because this is a YAML configuration file.

Suggested changeset 1
.github/workflows/publish-dry-run.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/publish-dry-run.yml b/.github/workflows/publish-dry-run.yml
--- a/.github/workflows/publish-dry-run.yml
+++ b/.github/workflows/publish-dry-run.yml
@@ -14,6 +14,9 @@
 
 name: Publish Dry Run
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: ["master"]
EOF
@@ -14,6 +14,9 @@

name: Publish Dry Run

permissions:
contents: read

on:
push:
branches: ["master"]
Copilot is powered by AI and may make mistakes. Always verify output.
2 changes: 1 addition & 1 deletion .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,6 @@
tags: ["v*"]
jobs:
build:
uses: 8hobbies/workflows/.github/workflows/npm-publish.yml@00e84568aa8441faba7d53d88666b78e19c677d7
uses: 8hobbies/workflows/.github/workflows/npm-publish.yml@abd958951e5f7fe9cdc2b25bf6686a4ba5b5c47e
secrets:
npm-auth-token: ${{ secrets.NPM_TOKEN }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
2 changes: 1 addition & 1 deletion .github/workflows/runtime.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,4 @@

jobs:
test:
uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@00e84568aa8441faba7d53d88666b78e19c677d7
uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@abd958951e5f7fe9cdc2b25bf6686a4ba5b5c47e

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 12 days ago

To fix the problem, explicitly set permissions for the workflow or for the test job so that the GITHUB_TOKEN has only the minimal required scopes. Since this file triggers tests on push and pull_request and delegates all work to a reusable workflow, the safest and simplest approach is to set a restrictive default at the workflow root, which applies to all jobs that do not override it.

The single best fix without changing functionality is to add a root-level permissions: block with contents: read, which is a common minimal starting point for CI workflows that only need to read the repository. If the reusable workflow requires additional scopes (e.g., packages: read), those would be added there as needed, but we cannot infer that from the snippet, so we stick to a minimal yet standard configuration. Concretely, in .github/workflows/runtime.yml, add a permissions: section after the on: block and before jobs:. No imports or additional definitions are needed because this is a YAML workflow configuration change only.

Suggested changeset 1
.github/workflows/runtime.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/runtime.yml b/.github/workflows/runtime.yml
--- a/.github/workflows/runtime.yml
+++ b/.github/workflows/runtime.yml
@@ -20,6 +20,9 @@
   pull_request:
     branches: ["master"]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@abd958951e5f7fe9cdc2b25bf6686a4ba5b5c47e
EOF
@@ -20,6 +20,9 @@
pull_request:
branches: ["master"]

permissions:
contents: read

jobs:
test:
uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@abd958951e5f7fe9cdc2b25bf6686a4ba5b5c47e
Copilot is powered by AI and may make mistakes. Always verify output.