Skip to content

Potential fix for code scanning alert no. 27: Workflow does not contain permissions#553

Merged
daveshanley merged 1 commit intomainfrom
alert-autofix-27
Mar 29, 2026
Merged

Potential fix for code scanning alert no. 27: Workflow does not contain permissions#553
daveshanley merged 1 commit intomainfrom
alert-autofix-27

Conversation

@daveshanley
Copy link
Copy Markdown
Member

@daveshanley daveshanley commented Mar 29, 2026

Potential fix for https://github.com/pb33f/libopenapi/security/code-scanning/27

In general, the problem is solved by explicitly defining a permissions block either at the workflow root (to apply to all jobs) or per job, and setting the minimal needed scopes (typically contents: read for simple build/test workflows). This prevents the jobs from inheriting potentially broad default permissions such as contents: write.

For this workflow, the simplest and safest fix that preserves existing behavior is to add a workflow‑level permissions section right after the name: Build line. The jobs only need to check out the repository and run Go commands; they do not push commits, modify issues, or manage PRs. The Codecov action uses its own CODECOV_TOKEN secret and does not require GitHub write permissions. Therefore, setting permissions: contents: read at the top level is sufficient and minimal. No other code or steps need to be changed.

Concretely, edit .github/workflows/build.yaml and insert:

permissions:
  contents: read

between the existing name: Build line and the on: block. This applies the restricted permissions to both buildWindows and build jobs and directly addresses the CodeQL alert.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@daveshanley @github-advanced-security
Potential fix for code scanning alert no. 27: Workflow does not conta…
1cdd545 
…in permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@daveshanley daveshanley marked this pull request as ready for review March 29, 2026 16:46
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 29, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.61%. Comparing base (83b5e4f) to head (1cdd545).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #553   +/-   ##
=======================================
  Coverage   99.61%   99.61%           
=======================================
  Files         236      236           
  Lines       28037    28037           
=======================================
  Hits        27930    27930           
  Misses         65       65           
  Partials       42       42
Flag Coverage Δ
unittests 99.61% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@daveshanley daveshanley merged commit b123092 into main Mar 29, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@daveshanley