Update 8hobbies/workflows digest to 4443153 #265
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| jobs: | ||
| lint: | ||
| uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@0addb4a5f6d2598854f617fae0b907a0ecd34a1e | ||
| uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@4443153b7f57ef7295e48bb1f73e90cb8b28a0c4 |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To fix the problem, you should add a permissions block to .github/workflows/lint.yml either at the root level—so it applies to all jobs in the workflow that do not have their own permissions key—or inside the lint job. Since the only job is lint, and it uses a reusable workflow, you can add the permissions block either right under jobs:, or the root of the workflow (after name, usually). The minimally required permission for a linting workflow is typically contents: read, but if you know it needs additional permissions (like commenting on pull requests), you can add those. Since you only have access to this job, it is safest to add a minimal block: permissions: contents: read.
Edit .github/workflows/lint.yml to add:
permissions:
contents: readimmediately after the name: block (before on:), or within the lint: job as:
permissions:
contents: readThe fix does not require any imports, definitions, or further changes.
| @@ -13,6 +13,8 @@ | ||
| # limitations under the License. | ||
|
|
||
| name: Lint | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
| jobs: | ||
| run: | ||
| uses: 8hobbies/workflows/.github/workflows/npm-publish-dry-run.yml@0addb4a5f6d2598854f617fae0b907a0ecd34a1e | ||
| uses: 8hobbies/workflows/.github/workflows/npm-publish-dry-run.yml@4443153b7f57ef7295e48bb1f73e90cb8b28a0c4 |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
| jobs: | ||
| test: | ||
| uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@0addb4a5f6d2598854f617fae0b907a0ecd34a1e | ||
| uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@4443153b7f57ef7295e48bb1f73e90cb8b28a0c4 |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To fix the problem, you should add an explicit permissions block at the root level of the workflow in .github/workflows/runtime.yml. This block should minimally restrict permissions for the entire workflow unless a job overrides it. Since the job delegates all execution to a reusable workflow using uses:, and unless there are requirements for write access (such as creating releases, updating issues, etc.), the safest baseline is contents: read. This reduces GITHUB_TOKEN access to read-only. If workflow functionality requires elevated or more granular permissions, the block should be adjusted accordingly. To implement, insert the permissions: block after the name: and before the on: section (ideally line 16 or 17).
| @@ -13,6 +13,8 @@ | ||
| # limitations under the License. | ||
|
|
||
| name: Runtime | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
This PR contains the following updates:
0addb4a->4443153Configuration
📅 Schedule: Branch creation - "on Sunday" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.