Skip to content

fix: add explicit permissions to workflow jobs (CodeQL)#7

Merged
chrisdpurcell merged 1 commit intomainfrom
fix/workflow-permissions
Feb 18, 2026
Merged

fix: add explicit permissions to workflow jobs (CodeQL)#7
chrisdpurcell merged 1 commit intomainfrom
fix/workflow-permissions

Conversation

@chrisdpurcell
Copy link
Copy Markdown
Collaborator

@chrisdpurcell chrisdpurcell commented Feb 18, 2026

Summary

  • Adds permissions: contents: read to both the validate-hacs and validate-hassfest jobs in validate.yml
  • Resolves 2 CodeQL medium alerts: actions/missing-workflow-permissions at job level

Test plan

  • Workflow runs successfully on push to testing or main
  • CodeQL alerts close after merge

🤖 Generated with Claude Code

@chrisdpurcell @claude
fix: add explicit permissions to workflow jobs (CodeQL)
31639fb 
Adds `permissions: contents: read` to both validate-hacs and
validate-hassfest jobs. GitHub's default GITHUB_TOKEN permissions are
broad; declaring minimal permissions follows least-privilege and
resolves the CodeQL actions/missing-workflow-permissions medium alerts.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings February 18, 2026 19:03
@chrisdpurcell chrisdpurcell added the maintenance Automated maintenance PR from repo manager label Feb 18, 2026
Copilot AI reviewed Feb 18, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds explicit job-level permissions to the GitHub Actions workflow to address CodeQL security alerts about missing workflow permissions. It applies the principle of least privilege by restricting both validation jobs to only contents: read permission.

Changes:

  • Added permissions: contents: read to the validate-hacs job
  • Added permissions: contents: read to the validate-hassfest job

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@chrisdpurcell chrisdpurcell merged commit 1d66055 into main Feb 18, 2026
16 of 17 checks passed
@chrisdpurcell chrisdpurcell deleted the fix/workflow-permissions branch February 18, 2026 19:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

maintenance Automated maintenance PR from repo manager

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chrisdpurcell