Feat ci/slug checker#15
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup pnpm | ||
| uses: pnpm/action-setup@v4 | ||
| with: | ||
| version: 10 | ||
|
|
||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '22' | ||
| cache: pnpm | ||
|
|
||
| - run: pnpm install --frozen-lockfile | ||
| - run: pnpm check:slugs |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the problem, we should explicitly restrict the GITHUB_TOKEN permissions for this workflow to the minimum needed. The job only checks code (checkout, install, run pnpm check:slugs) and does not need to write to the repository or modify issues, PRs, or other resources. The minimal appropriate permission is contents: read. We can declare this either at the workflow root (applies to all jobs) or within the specific slug-check job. Since there is only one job, either is fine; adding it at the workflow root is slightly clearer and follows the recommendation pattern.
Concretely, in .github/workflows/slug-check.yml, add a permissions: block with contents: read (and nothing else) near the top of the file, at the root level, alongside name and on. This will ensure the GITHUB_TOKEN used by actions/checkout is limited to read-only access to repository contents, satisfying the CodeQL rule without changing any existing functionality of the workflow.
| @@ -1,5 +1,8 @@ | ||
| name: Slug Check | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: [main] |
|
Preview Deployment is Ready! You can test the updates in this PR in a live environment by clicking the link below: (This environment is specific to this PR and does not affect the |
2 participants
No description provided.