Revert "CU-869az43jq: MedCAT v2: Distribute cogstack-es and medcat-scripts" #7
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: 'Submodules Sync' | ||
| runs-on: ubuntu-22.04 | ||
| if: github.actor != 'github-actions[bot]' | ||
|
|
||
| defaults: | ||
| run: | ||
| shell: bash | ||
|
|
||
| steps: | ||
| - name: Checkout repository with submodules | ||
| uses: actions/checkout@v5 | ||
| with: | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
| submodules: recursive | ||
| persist-credentials: false | ||
|
|
||
| - name: Sync submodule URLs | ||
| run: | | ||
| git submodule sync --recursive | ||
|
|
||
| - name: Update submodules | ||
| run: | | ||
| git -c protocol.version=2 submodule update --init --remote --recursive --jobs 8 | ||
|
|
||
| - name: Commit and push submodule updates | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| set -euo pipefail | ||
| git config user.name 'github-actions[bot]' | ||
| git config user.email '41898282+github-actions[bot]@users.noreply.github.com' | ||
| git remote set-url origin https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }} | ||
| # Stage only submodule pointer updates and .gitmodules | ||
| git add .gitmodules $(git config -f .gitmodules --get-regexp path | awk '{print $2}') || true | ||
| if git diff --cached --quiet; then | ||
| echo "No submodule pointer changes to commit" | ||
| exit 0 | ||
| fi | ||
| git commit -m "chore(submodules): auto-update pointers [skip ci]" | ||
| git push |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 30 days ago
To fix the problem, we must add a permissions: block to the workflow to restrict the GitHub Actions GITHUB_TOKEN permissions as tightly as possible, following the principle of least privilege. The workflow commits changes and pushes updates, so it needs contents: write, but no other elevated permissions. This block should be added either at the workflow root (top level) or at the job level; since there is only one job shown, either approach is fine. The simplest fix is to add the following block near the top (before jobs:):
permissions:
contents: writeThis will ensure that the workflow has only the necessary permissions for repository contents and disallow unnecessary privileges.
| @@ -1,5 +1,8 @@ | ||
| name: submodules-sync | ||
|
|
||
| permissions: | ||
| contents: write | ||
|
|
||
| on: | ||
| push: | ||
| branches: ['**'] |
Reverts #6