Conversation
Co-authored-by: Philip Durbin <philipdurbin@gmail.com>
…C/8914-COAR-compliant_messaging2 GDCC/8914 COAR Messaging Improvement
…rbidden (#12134) * test: add test for duplicate role assignment * feat: return 409 when creating duplicate role assignment
* updates to fix test * add a few seconds - print duration
…m/IQSS/dataverse into 11473-harvesting-client-ratelimit
…y replicating the existing beta workflow.
Co-authored-by: landreev <leonid@hmdc.harvard.edu>
Co-authored-by: landreev <leonid@hmdc.harvard.edu>
…ble action Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
…ain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
…nto extra_workflows
Extra workflows
extra workflows, a remake
6.10 release notes
bump to version 6.10
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v6 | ||
|
|
||
| - uses: actions/setup-java@v5 | ||
| with: | ||
| distribution: 'zulu' | ||
| java-version: '21' | ||
|
|
||
| - name: Set build number | ||
| run: scripts/installer/custom-build-number "${{ github.event.inputs.buildlabel }}" | ||
|
|
||
| - name: Build application war | ||
| run: mvn package | ||
|
|
||
| - name: Get war file name | ||
| working-directory: target | ||
| run: echo "war_file=$(ls *.war | head -1)">> $GITHUB_ENV | ||
|
|
||
| - name: Upload war artifact | ||
| uses: actions/upload-artifact@v7 | ||
| with: | ||
| name: built-app | ||
| path: ./target/${{ env.war_file }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 9 hours ago
In general, the fix is to explicitly define GITHUB_TOKEN permissions at the workflow or job level so the token has only the minimal capabilities required. For this workflow, the job reads the repository (checkout) and uploads an artifact to the workflow run, but does not need to write to repository contents or other GitHub resources. Therefore, setting permissions: contents: read is sufficient.
The best minimal change is to add a permissions block at the root of .github/workflows/generate_war_file.yml, just below the name (or above jobs:). This will apply to all jobs in the workflow (currently just build) and restrict the GITHUB_TOKEN to read-only access to repository contents. No other code or steps need to change, and no additional imports or methods are required.
Concretely, in .github/workflows/generate_war_file.yml, insert:
permissions:
contents: readafter the name: 'Generate dataverse war file' line (line 1 in the snippet). All existing steps remain unchanged.
| @@ -1,5 +1,8 @@ | ||
| name: 'Generate dataverse war file' | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: |
This comment has been minimized.
This comment has been minimized.
1 similar comment
|
📦 Pushed preview images as 🚢 See on GHCR. Use by referencing with full name as printed above, mind the registry name. |
|
API tests are passing: https://jenkins.dataverse.org/job/IQSS-Dataverse-Develop-PR/job/PR-12233/1/testReport/ Merging. |
9 participants
Part of:
https://jenkins.dataverse.org/job/IQSS-Dataverse-Develop-PR/job/PR-12233/1/console