Skip to content

Potential fix for code scanning alert no. 18: Workflow does not contain permissions #178

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sanason wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Potential fix for code scanning alert no. 18: Workflow does not contain permissions #178

sanason wants to merge 1 commit into from

Conversation

@sanason
Copy link
Contributor

@sanason sanason commented Jan 9, 2026

Potential fix for https://github.com/digital-analytics-program/gov-wide-code/security/code-scanning/18

In general, to fix this problem you should add a permissions block either at the root of the workflow (to apply to all jobs) or within the specific job that CodeQL flagged. The block should grant only the minimal scopes needed; for a simple lint job that just checks out code and runs npm commands, contents: read is typically sufficient.

For this specific workflow (.github/workflows/ci.yml), the minimal and least-invasive change is to add a permissions stanza under the lint job, right alongside runs-on. This keeps the change tightly scoped while not altering any existing steps or behavior. The result will look like:

jobs:
  lint:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      ...

No additional imports, methods, or definitions are needed, since permissions is a standard GitHub Actions workflow key. The only file to change is .github/workflows/ci.yml, and the only region to update is the lint job header around line 7.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@sanason @github-advanced-security
Potential fix for code scanning alert no. 18: Workflow does not conta…
76a6d4c 
…in permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@sanason sanason marked this pull request as ready for review January 9, 2026 15:26
@sanason sanason requested review from laurenancona and sfrederick-gsa-gov and removed request for sfrederick-gsa-gov January 9, 2026 15:27
@sanason
Copy link
Contributor Author

sanason commented Jan 9, 2026

@laurenancona
I am cleaning up security warnings in advance of the assessment and this fixes the last open warning.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@laurenancona laurenancona Awaiting requested review from laurenancona

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sanason