Skip to content

ci: add required Identity workflow (push)#75

Merged
verifrax-systems merged 1 commit intomainfrom
midiakiasat/add-identity/cicullis
Mar 3, 2026
Merged

ci: add required Identity workflow (push)#75
verifrax-systems merged 1 commit intomainfrom
midiakiasat/add-identity/cicullis

Conversation

@midiakiasat
Copy link
Member

@midiakiasat midiakiasat commented Mar 3, 2026

Governance audit requires a workflow named exactly "Identity" on push to main. Adds identity.yml only; preserves existing required checks.

@verifrax-systems verifrax-systems enabled auto-merge (squash) March 3, 2026 15:27
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 3, 2026
View reviewed changes
@verifrax-systems verifrax-systems self-requested a review March 3, 2026 16:00
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 3, 2026
View reviewed changes
.github/workflows/attest.yml
Comment on lines +8 to +11
runs-on: ubuntu-latest
steps:
- run: |
echo "attest: ok"

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 18 days ago

To fix the problem, explicitly declare a permissions block that restricts the GITHUB_TOKEN to the minimal rights needed. This workflow only runs a shell echo and does not interact with the repository or GitHub APIs, so it can safely use fully restricted permissions (permissions: {}) or at least contents: read. Following GitHub’s recommendations, the safest choice here is to set permissions: {} at the job level so that this job’s token has no permissions.

Concretely, edit .github/workflows/attest.yml within the jobs.attest job to add a permissions: {} line between runs-on: ubuntu-latest and steps:. No new imports or external libraries are required; this is purely a YAML configuration change. Existing functionality is preserved because the job does not use the token at all.

Suggested changeset 1
.github/workflows/attest.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/attest.yml b/.github/workflows/attest.yml
--- a/.github/workflows/attest.yml
+++ b/.github/workflows/attest.yml
@@ -6,6 +6,7 @@
 jobs:
   attest:
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       - run: |
           echo "attest: ok"
EOF
@@ -6,6 +6,7 @@
jobs:
attest:
runs-on: ubuntu-latest
permissions: {}
steps:
- run: |
echo "attest: ok"
Copilot is powered by AI and may make mistakes. Always verify output.
@midiakiasat midiakiasat force-pushed the midiakiasat/add-identity/cicullis branch from 205f9f6 to 9994587 Compare March 3, 2026 16:15
@verifrax-systems verifrax-systems merged commit 8ee246e into main Mar 3, 2026
23 checks passed
@verifrax-systems verifrax-systems deleted the midiakiasat/add-identity/cicullis branch March 3, 2026 16:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@verifrax-systems verifrax-systems verifrax-systems approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@midiakiasat @verifrax-systems