Skip to content

Potential fix for code scanning alert no. 21: Workflow does not contain permissions#651

Merged
cute-omega merged 1 commit into
masterfrom
alert-autofix-21
Jun 29, 2026
Merged

Potential fix for code scanning alert no. 21: Workflow does not contain permissions#651
cute-omega merged 1 commit into
masterfrom
alert-autofix-21

Conversation

@cute-omega

Copy link
Copy Markdown
Collaborator

Potential fix for https://github.com/docmirror/dev-sidecar/security/code-scanning/21

Add an explicit permissions block at the workflow root in .github/workflows/test-and-upload.yml, directly under name (before on:), so it applies to all jobs unless overridden.
For this workflow, the minimal safe baseline requested by CodeQL is:

  • contents: read

This preserves existing behavior for checkout and general read operations while documenting and enforcing least privilege. If future steps require additional scopes, they can be added narrowly at job-level or workflow-level then.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…in permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@cute-omega cute-omega marked this pull request as ready for review June 29, 2026 06:51
@cute-omega cute-omega merged commit 39c3100 into master Jun 29, 2026
6 checks passed
@cute-omega cute-omega deleted the alert-autofix-21 branch June 29, 2026 06:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant