add reusable workflow #18

To fix the problem, explicitly declare a permissions block so that the GITHUB_TOKEN used in this workflow has only the minimal rights it needs. Since none of the jobs perform operations that modify the repository (such as pushing commits, creating releases, or managing issues/PRs), the minimal and sufficient permission is contents: read. Placing this permissions block at the root of the workflow ensures it applies to all jobs unless they override it.

Concretely, in .github/workflows/ci-with-step.yml, add a top-level permissions: section right under the name: CI line (before on:). The block should read:

permissions: contents: read

No changes are needed inside the individual jobs. No additional imports or actions are required; this change only adjusts the workflow’s static YAML configuration and does not alter the functional behavior of the build and deployments.

In general, the fix is to explicitly declare a permissions: block instead of relying on the repository’s default GITHUB_TOKEN permissions. Since all three jobs only need to read the repository to run and upload/download artifacts (which do not require elevated repo scopes), we can safely set contents: read at the workflow root, applying to all jobs.

The best minimal fix without changing functionality is:

Add a top-level permissions: block after the name: (or after on:) setting contents: read.

There is no evidence any job needs write permissions to issues, pull requests, or contents, so we do not grant them.

Concretely, in .github/workflows/ci-with-step.yml, between line 2 and line 3 (or equivalently between the existing name: CI and on:), add:

permissions: contents: read

No imports or additional definitions are needed, as this is purely a YAML workflow configuration change.

In general, the fix is to add an explicit permissions: block that grants only the minimum GitHub token permissions required. Since this workflow only checks out code, runs tests, builds, and uploads/downloads artifacts, it doesn’t need any write permission to the repository; a read-only token is sufficient, and in this specific case we can even set all permissions to none if the workflow doesn’t require the token at all.

The single best minimal fix here is to add a permissions block at the root of the workflow (applies to all jobs) and set contents: read, which is a safe, common default for workflows that only need to read the repository. This both satisfies CodeQL’s requirement for an explicit permissions block and adheres to least privilege, while not breaking actions/checkout, which can operate with contents: read. No imports or additional methods are needed, only a small YAML change near the top of .github/workflows/ci-with-step.yml.

Concretely: edit .github/workflows/ci-with-step.yml to insert a permissions: section after the name: CI (line 1) and before the on: block (line 3). The rest of the workflow remains unchanged.

-Original file line number
+Diff line change
@@ -1,50 +1,51 @@
-    name: CI
-    on:
-      push:
-        branches: [ "main" ]
-    jobs:
-      build:
-        name: CI
-        runs-on: ubuntu-latest
-        steps:
-          - uses: actions/checkout@v4 # Check out the repository first
-          # The other verification steps (checkout, build, format, etc.) will be run from PR Verify workflow already
-          - name: Dotnet test
-            run: dotnet test src/GitHubActionsDotNet.Api.Tests/GitHubActionsDotNet.Api.Tests.csproj --configuration Release
-          - name: Dotnet publish
-            run: dotnet publish src/GitHubActionsDotNet.Api/GitHubActionsDotNet.Api.csproj --configuration Release -o artifacts
-          - uses: actions/upload-artifact@v4
-            with:
-              name: domtrain-artifacts
-              path: artifacts/
-      deploy_dev:
-        name: Deploy Dev
-        runs-on: ubuntu-latest
-        needs: build # By default jobs runs in parallel, this makes sure deploy runs after build
-        steps:
-          - uses: actions/download-artifact@v4
-            with:
-              name: domtrain-artifacts #The name "domtrain-artifacts" is what makes teh link between the upload and download steps
-              path: artifacts/
+    # name: CI
+    # on:
+    #   push:
+    #     branches: [ "main" ]
+    # jobs:
+    #   build:
+    #     name: CI
+    #     runs-on: ubuntu-latest
+    #     steps:
+    #       - uses: actions/checkout@v4 # Check out the repository first
+    #       # The other verification steps (checkout, build, format, etc.) will be run from PR Verify workflow already
+    #       - name: Dotnet test
+    #         run: dotnet test src/GitHubActionsDotNet.Api.Tests/GitHubActionsDotNet.Api.Tests.csproj --configuration Release
+    #       - name: Dotnet publish
+    #         run: dotnet publish src/GitHubActionsDotNet.Api/GitHubActionsDotNet.Api.csproj --configuration Release -o artifacts
+    #       - uses: actions/upload-artifact@v4
+    #         with:
+    #           name: domtrain-artifacts
+    #           path: artifacts/
+    #   deploy_dev:
+    #     name: Deploy Dev
+    #     runs-on: ubuntu-latest
+    #     needs: build # By default jobs runs in parallel, this makes sure deploy runs after build
+    #     steps:
+    #       - uses: actions/download-artifact@v4
+    #         with:
+    #           name: domtrain-artifacts #The name "domtrain-artifacts" is what makes teh link between the upload and download steps
+    #           path: artifacts/
-          - name: Azure login
-            uses: azure/login@v2
-            with:
-              client-id: ${{ secrets.AZURE_CLIENT_ID }}
-              tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-              subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+    #       # Login to Azure
+    #       - name: Azure login
+    #         uses: azure/login@v2
+    #         with:
+    #           client-id: ${{ secrets.AZURE_CLIENT_ID }}
+    #           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+    #           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          # Deploy to Azure Web apps
-          - name: 'Deploy to  Azure App Service'
-            uses: azure/webapps-deploy@v2
-            with:
-              app-name: ${{ env.AZURE_WEBAPP_NAME }} # Replace with your app name, i.e. app-domtrain-github-scottsauber-dev
-              package: artifacts/
+    #       # Deploy to Azure Web apps
+    #       - name: 'Deploy to  Azure App Service'
+    #         uses: azure/webapps-deploy@v2
+    #         with:
+    #           app-name: ${{ env.AZURE_WEBAPP_NAME }} # Replace with your app name, i.e. app-domtrain-github-scottsauber-dev
+    #           package: artifacts/

-Original file line number
+Diff line change
@@ -0,0 +1,42 @@
+    name: "Step Deploy"
+    on:
+      workflow_call:
+        inputs:
+          env:
+            required: true
+            type: string
+        secrets:
+          AZURE_CLIENT_ID:
+            required: true
+          AZURE_TENANT_ID:
+            required: true
+          AZURE_SUBSCRIPTION_ID:
+            required: true
+    jobs:
+      deploy:
+        name: Deploy to ${{ inputs.env }}
+        runs-on: ubuntu-latest
+        environment: ${{ inputs.env }}
+        steps:
+          - uses: actions/download-artifact@v4
+            with:
+              name: domtrain-artifacts #The name "domtrain-artifacts" is what makes teh link between the upload and download steps
+              path: artifacts/
+          # Login to Azure
+          - name: Azure login
+            uses: azure/login@v2
+            with:
+              client-id: ${{ secrets.AZURE_CLIENT_ID }}
+              tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+              subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          # Deploy to Azure Web apps
+          - name: 'Deploy to  Azure App Service'
+            uses: azure/webapps-deploy@v2
+            with:
+              app-name: ${{ env.AZURE_WEBAPP_NAME }} # Replace with your app name, i.e. app-domtrain-github-scottsauber-dev
+              package: artifacts/

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add reusable workflow #18

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix