Skip to content

merge develop into master for 6.10.1#12259

Merged
pdurbin merged 14 commits intomasterfrom
develop
Mar 26, 2026
Merged

merge develop into master for 6.10.1#12259
pdurbin merged 14 commits intomasterfrom
develop

Conversation

@pdurbin
Copy link
Copy Markdown
Member

@pdurbin pdurbin commented Mar 26, 2026

No description provided.

pdurbin and others added 14 commits March 18, 2026 17:51
@pdurbin
add a GitHub Workflow to add bugs to the project board
8635fa5
@pdurbin
update base.image.version post-6.10 #12084
697904e
@dependabot
Bump aquasecurity/setup-trivy from 0.2.5 to 0.2.6
0b8ce93 
Bumps [aquasecurity/setup-trivy](https://github.com/aquasecurity/setup-trivy) from 0.2.5 to 0.2.6.
- [Release notes](https://github.com/aquasecurity/setup-trivy/releases)
- [Commits](aquasecurity/setup-trivy@v0.2.5...v0.2.6)

---
updated-dependencies:
- dependency-name: aquasecurity/setup-trivy
  dependency-version: 0.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@pdurbin
Merge pull request #12234 from IQSS/12084-base.image.version-post-6.10
ed086df 
update base.image.version post-6.10
@pdurbin
Merge pull request #12235 from IQSS/dependabot/github_actions/aquasec…
8158910 
…urity/setup-trivy-0.2.6

Bump aquasecurity/setup-trivy from 0.2.5 to 0.2.6
@poikilotherm
chore(ci): update Trivy engine to a newer, but safe version #12242
b60a0fb
@pdurbin
Merge pull request #12247 from IQSS/12242-trivy
5c780e3 
chore(ci): update Trivy engine to a newer, but safe version #12242
@pdurbin
Merge pull request #12225 from IQSS/add_bugs_to_project
7b3137b 
add a GitHub Workflow to add bugs to the project board
@stevenwinship
fix signature of writeGuestbookAndStartFileDownload in xhtml
b0bb896
@stevenwinship
add rel note
83dc70b
@landreev
Merge pull request #12252 from IQSS/fix-download-with-guestbook
8406879 
Jenkins tests are failing - but that's on account of the localstack issue; plus there's nothing in the PR that could affect the restassured tests.
Fix signature of writeGuestbookAndStartFileDownload in xhtml
@pdurbin
bump to 6.10.1
ee335d3
@pdurbin
fix PR number
971c11f
@pdurbin
Merge pull request #12257 from IQSS/6.10.1-release
e20213c 
bump to 6.10.1
@pdurbin pdurbin requested a review from poikilotherm as a code owner March 26, 2026 19:22
github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 26, 2026
View reviewed changes
Comment thread .github/workflows/add_bugs_to_project.yml
Comment on lines +11 to +18
name: Add bug to project
runs-on: ubuntu-latest
steps:
- uses: actions/add-to-project@v1.0.2
with:
project-url: https://github.com/orgs/IQSS/projects/34
github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}
labeled: "Type: Bug"

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 1 month ago

To fix the problem, add an explicit permissions block that restricts the default GITHUB_TOKEN to the minimal required scope. Since this workflow’s only step uses a custom PAT (secrets.ADD_TO_PROJECT_PAT) and does not rely on GITHUB_TOKEN, it is safe and preferable to set permissions: contents: read (or even permissions: {}) to minimize privileges. Using contents: read aligns with GitHub’s recommended minimal baseline and avoids surprises for tools expecting at least read access.

The best fix with minimal functional impact is to add a workflow‑level permissions block near the top of .github/workflows/add_bugs_to_project.yml, after the name: field and before on:. This will apply to all jobs in the workflow (there is only add-to-project), and the job definition itself does not need to change. No imports or additional methods are required, as this is purely a YAML configuration change.

Concretely:

  • Edit .github/workflows/add_bugs_to_project.yml.
  • Insert:
permissions:
  contents: read

between line 2 (the blank line after name) and line 3 (on:). This keeps existing behavior intact and satisfies the CodeQL requirement for explicit permissions.

Suggested changeset 1
.github/workflows/add_bugs_to_project.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/add_bugs_to_project.yml b/.github/workflows/add_bugs_to_project.yml
--- a/.github/workflows/add_bugs_to_project.yml
+++ b/.github/workflows/add_bugs_to_project.yml
@@ -1,5 +1,8 @@
 name: Add bugs to project board
 
+permissions:
+  contents: read
+
 on:
   issues:
     types:
EOF
@@ -1,5 +1,8 @@
name: Add bugs to project board

permissions:
contents: read

on:
issues:
types:
Copilot is powered by AI and may make mistakes. Always verify output.
@pdurbin pdurbin merged commit 300d5b5 into master Mar 26, 2026
22 of 25 checks passed
@pdurbin pdurbin added this to the 6.10.1 milestone Mar 26, 2026
@cmbz cmbz added the FY26 Sprint 20 FY26 Sprint 20 (2026-03-26 - 2026-04-08) label Mar 27, 2026
@scolapasta scolapasta moved this from Merged 🚀 to Done 🧹 in IQSS Dataverse Project Mar 31, 2026
@pdurbin pdurbin mentioned this pull request May 2, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@poikilotherm poikilotherm Awaiting requested review from poikilotherm poikilotherm is a code owner

Assignees

No one assigned

Labels

FY26 Sprint 20 FY26 Sprint 20 (2026-03-26 - 2026-04-08)

Projects

IQSS Dataverse Project
Status: Done 🧹

Milestone

6.10.1

Development

Successfully merging this pull request may close these issues.

7 participants

@pdurbin @github-advanced-security @scolapasta @cmbz @poikilotherm @stevenwinship @landreev