Secrets by erisjak · Pull Request #8 · erisjak/github-actions-dotnet

erisjak · 2025-09-05T10:58:47Z

No description provided.

.github/workflows/ci.yml

.github/workflows/cron.yml

.github/workflows/secrets.yml

+    name: Secrets Demo
+    runs-on: ubuntu-latest
+    env: 
+      JOB_NAME: "secrets"
+    steps:
+      - name: Echo environment variable
+        run: echo "The value of $JOB_NAME is $API_CSPROJ_PATH"
+
+  new_job:


To fix the problem, explicitly declare the permissions block at the workflow level, setting the minimal required permissions for the jobs. Since the two jobs in this workflow ("secrets" and "new_job") do not interact with repository contents, issues, or pull requests, the safest, least-privilege choice is contents: read. This denies write access, reducing attack surface. The change should occur at the root of the workflow file—immediately following the name: and on: keys but before the env: or jobs: definitions. No changes to functionality are induced; the jobs will retain required access to environment variables and run steps as before.

.github/workflows/secrets.yml

+    name: Secrets Demo
+    runs-on: ubuntu-latest
+    env:
+      JOB_NAME: "new_job"
+    steps:
+      - name: Echo environment variable
+        run: echo "The value of $JOB_NAME is $API_CSPROJ_PATH"


To fix this issue, add a permissions block at the workflow root or job level, specifying the least required privileges. In this workflow, the jobs simply echo environment variables and use curl, so neither requires any write access to the repository. The best practice is to add the following block at the top level (applies to all jobs unless individually overridden):

permissions: contents: read

This should be placed just below the name field and prior to on. Alternatively, you could add it within each job, but for conciseness and maintainability, the root-level block is preferred. No new imports or definitions are needed.

erisjak added 15 commits September 1, 2025 10:08

add a new line to weather forecast

e9fd2f5

neues feature

54a2e25

add dotnet test to pr verify

5b5cb7b

add failing test

b6cd175

fix test

9d5396e

add dotnet format to pr verify

5d8353a

changed .NET version to 9

c9d3ebd

switch back to .NET 8

5b4af6f

fixed formatting

dab650e

test code ql

8336c9b

add ci

ba93324

upload artifacts as part of CI

35a7bfb

add cron job

051ca6f

edited cron job

52f1c35

added secrets branch

8651f20

github-advanced-security bot found potential problems Sep 5, 2025

View reviewed changes

.github/workflows/ci.yml Fixed Show fixed Hide fixed

.github/workflows/cron.yml Fixed Show fixed Hide fixed

.github/workflows/secrets.yml Fixed Show fixed Hide fixed

erisjak added 3 commits September 5, 2025 13:14

Merge branch 'main' into secrets

299f787

add a job

e35613a

added new job to secrets

ec5d887

github-advanced-security bot found potential problems Sep 5, 2025

View reviewed changes

delete cron job

c4ddacb

@@ -4,6 +4,9 @@
               pull_request:
                 branches: ["main"]
+            permissions:
+              contents: read
             env:
               API_CSPROJ_PATH: "./src/GithubActionsDotnet.Api/GithubActionsDotnet.Api.csproj"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Secrets#8

Secrets#8
erisjak wants to merge 19 commits intomainfrom
secrets

erisjak commented Sep 5, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

erisjak commented Sep 5, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant