fix docker conf #267
fix docker conf #267
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup pnpm | ||
| uses: pnpm/action-setup@v4 | ||
| with: | ||
| version: 10 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 20 | ||
| cache: 'pnpm' | ||
|
|
||
| - name: Install dependencies | ||
| run: pnpm install --frozen-lockfile | ||
|
|
||
| - name: Build project | ||
| run: pnpm build | ||
|
|
||
| - name: Upload build artifact | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: pearl-jam | ||
| path: dist | ||
|
|
||
| docker: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
In general, the fix is to explicitly define a permissions: block to restrict the GITHUB_TOKEN to the minimum scopes required. Since this workflow only needs to read the repository contents (for actions/checkout and build context) and does not use GITHUB_TOKEN to perform any write operations, we can safely set contents: read as the only permission. We can define this either at the workflow root (applying to all jobs) or per job. The simplest and clearest is to add a workflow-level permissions: block directly under the name: line.
Concretely, in .github/workflows/early-docker-image.yml, insert:
permissions:
contents: readbetween the existing name: Early Docker image publishing and on: keys. This will apply to both build and docker jobs. No other code, steps, or secrets handling needs to change, and no imports or external dependencies are required.
| @@ -1,5 +1,8 @@ | ||
| name: Early Docker image publishing | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches-ignore: |
| needs: build | ||
| runs-on: ubuntu-latest | ||
| if: startsWith(github.ref, 'refs/heads/') && | ||
| github.ref != 'refs/heads/main' && | ||
| github.ref != 'refs/heads/develop' | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 2 | ||
|
|
||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v3 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Log in to DockerHub | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
|
||
| - name: Download build artifact | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: pearl-jam | ||
| path: dist | ||
|
|
||
| - name: Debug runner filesystem | ||
| run: | | ||
| ls -al . | ||
| echo "Listing root /" | ||
| ls -al / | ||
| echo "Listing repository checkout directory" | ||
| ls -al $GITHUB_WORKSPACE | ||
| echo "Listing dist artifact folder" | ||
| ls -al dist | ||
|
|
||
| - name: Read project version from package.json | ||
| id: version | ||
| run: echo "version=$(jq -r .version package.json)" >> $GITHUB_OUTPUT | ||
| - name: Build and push Docker image | ||
| uses: docker/build-push-action@v6 | ||
| with: | ||
| context: '.' | ||
| platforms: linux/amd64,linux/arm64 | ||
| push: true | ||
| tags: | | ||
| inseefr/pearl-jam:${{ github.ref_name }}-${{ steps.version.outputs.version }} | ||
| cache-from: type=gha | ||
| cache-to: type=gha,mode=max No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
In general, the fix is to add a permissions block that limits the GITHUB_TOKEN to the minimum required scopes. For workflows that only need to read repository contents (e.g., checkout, builds, and publishing to external registries with secrets), the minimal suitable setting is usually contents: read at the workflow or job level. This documents the intended permissions and prevents unintended write access if repository defaults are broad.
For this specific workflow in .github/workflows/early-docker-image.yml, neither the build nor docker job needs to write to the repository via the GITHUB_TOKEN; they only read source code and use secrets to log in to Docker Hub, plus GitHub’s artifact storage. Therefore, the best fix is to add a top-level permissions section after the name: (or after on:) with contents: read. This will apply to both jobs since they don’t define their own permissions. No additional imports or actions are required, and existing functionality will be unchanged because none of the steps currently rely on write permissions to the repository.
Concretely:
- Edit
.github/workflows/early-docker-image.yml. - Insert:
near the top-level of the workflow (e.g., between
permissions: contents: read
name:andon:or betweenon:andjobs:). - Do not modify any steps, actions, or other configuration.
| @@ -1,5 +1,8 @@ | ||
| name: Early Docker image publishing | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches-ignore: |
|
No description provided.