Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: CI | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v4 # Check out the repository first | ||
|
|
||
| # The other verification steps (checkout, build, format, etc.) will be run from PR Verify workflow already | ||
| - name: Dotnet test | ||
| run: dotnet test src/GitHubActionsDotNet.Api.Tests/GitHubActionsDotNet.Api.Tests.csproj --configuration Release | ||
|
|
||
| - name: Dotnet publish | ||
| run: dotnet publish src/GitHubActionsDotNet.Api/GitHubActionsDotNet.Api.csproj --configuration Release -o artifacts | ||
|
|
||
| - uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: domtrain-artifacts | ||
| path: artifacts/ | ||
|
|
||
| deploy_dev: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix the problem, explicitly declare a permissions block so that the GITHUB_TOKEN used in this workflow has only the minimal rights it needs. Since none of the jobs perform operations that modify the repository (such as pushing commits, creating releases, or managing issues/PRs), the minimal and sufficient permission is contents: read. Placing this permissions block at the root of the workflow ensures it applies to all jobs unless they override it.
Concretely, in .github/workflows/ci-with-step.yml, add a top-level permissions: section right under the name: CI line (before on:). The block should read:
permissions:
contents: readNo changes are needed inside the individual jobs. No additional imports or actions are required; this change only adjusts the workflow’s static YAML configuration and does not alter the functional behavior of the build and deployments.
| @@ -1,4 +1,6 @@ | ||
| name: CI | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
| name: Deploy Dev | ||
| runs-on: ubuntu-latest | ||
| needs: build # By default jobs runs in parallel, this makes sure deploy runs after build | ||
| environment: dev | ||
|
|
||
| steps: | ||
| - uses: actions/download-artifact@v4 | ||
| with: | ||
| name: domtrain-artifacts #The name "domtrain-artifacts" is what makes teh link between the upload and download steps | ||
| path: artifacts/ | ||
|
|
||
| - name: Azure login | ||
| uses: azure/login@v2 | ||
| with: | ||
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | ||
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | ||
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | ||
|
|
||
| # Deploy to Azure Web apps | ||
| - name: 'Deploy to Azure App Service' | ||
| uses: azure/webapps-deploy@v2 | ||
| with: | ||
| app-name: ${{ env.AZURE_WEBAPP_NAME }} # Replace with your app name, i.e. app-domtrain-github-scottsauber-dev | ||
| package: artifacts/ | ||
|
|
||
| deploy_prod: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, the fix is to explicitly declare a permissions: block instead of relying on the repository’s default GITHUB_TOKEN permissions. Since all three jobs only need to read the repository to run and upload/download artifacts (which do not require elevated repo scopes), we can safely set contents: read at the workflow root, applying to all jobs.
The best minimal fix without changing functionality is:
- Add a top-level
permissions:block after thename:(or afteron:) settingcontents: read. - There is no evidence any job needs write permissions to issues, pull requests, or contents, so we do not grant them.
Concretely, in .github/workflows/ci-with-step.yml, between line 2 and line 3 (or equivalently between the existing name: CI and on:), add:
permissions:
contents: readNo imports or additional definitions are needed, as this is purely a YAML workflow configuration change.
| @@ -1,5 +1,8 @@ | ||
| name: CI | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: [ "main" ] |
| name: Deploy Prod | ||
| runs-on: ubuntu-latest | ||
| needs: deploy_dev # By default jobs runs in parallel, this makes sure deploy prod runs after deploy dev | ||
| environment: prod | ||
| steps: | ||
| - uses: actions/download-artifact@v4 | ||
| with: | ||
| name: domtrain-artifacts #The name "domtrain-artifacts" is what makes teh link between the upload and download steps | ||
| path: artifacts/ | ||
|
|
||
| - name: Azure login | ||
| uses: azure/login@v2 | ||
| with: | ||
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | ||
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | ||
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | ||
|
|
||
| # Deploy to Azure Web apps | ||
| - name: 'Deploy to Azure App Service' | ||
| uses: azure/webapps-deploy@v2 | ||
| with: | ||
| app-name: ${{ env.AZURE_WEBAPP_NAME }} # Replace with your app name, i.e. app-domtrain-github-scottsauber-prod | ||
| package: artifacts/ No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, the fix is to add an explicit permissions: block that grants only the minimum GitHub token permissions required. Since this workflow only checks out code, runs tests, builds, and uploads/downloads artifacts, it doesn’t need any write permission to the repository; a read-only token is sufficient, and in this specific case we can even set all permissions to none if the workflow doesn’t require the token at all.
The single best minimal fix here is to add a permissions block at the root of the workflow (applies to all jobs) and set contents: read, which is a safe, common default for workflows that only need to read the repository. This both satisfies CodeQL’s requirement for an explicit permissions block and adheres to least privilege, while not breaking actions/checkout, which can operate with contents: read. No imports or additional methods are needed, only a small YAML change near the top of .github/workflows/ci-with-step.yml.
Concretely: edit .github/workflows/ci-with-step.yml to insert a permissions: section after the name: CI (line 1) and before the on: block (line 3). The rest of the workflow remains unchanged.
| @@ -1,5 +1,8 @@ | ||
| name: CI | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: [ "main" ] |
1 participant
No description provided.