Skip to content

Restrict GITHUB_TOKEN permissions for build-assets job#126

Closed
Copilot wants to merge 1 commit intoalert-autofix-2from
copilot/sub-pr-125
Closed

Restrict GITHUB_TOKEN permissions for build-assets job#126
Copilot wants to merge 1 commit intoalert-autofix-2from
copilot/sub-pr-125

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Feb 23, 2026
edited
Loading

The build-assets job had no explicit permissions block, granting it the default (potentially write) GITHUB_TOKEN scopes — more than needed.

Changes

  • .github/workflows/release.yml: Added permissions: contents: read to the build-assets job. actions/checkout only needs read access; actions/upload-artifact uses the internal ACTIONS_RUNTIME_TOKEN and requires no repository scopes at all. The create-release job retains contents: write for release asset uploads.
  build-assets:
    runs-on: ubuntu-latest
    permissions:
      contents: read   # added
    strategy:

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

Copilot AI mentioned this pull request Feb 23, 2026
Merged
Copilot AI changed the title [WIP] Fix permissions in build-assets job for code scanning alert Restrict GITHUB_TOKEN permissions for build-assets job Feb 23, 2026
@Project516 Project516 deleted the branch alert-autofix-2 February 23, 2026 22:24
@Project516 Project516 closed this Feb 23, 2026
@Project516 Project516 deleted the copilot/sub-pr-125 branch February 23, 2026 22:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Project516 Project516

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Project516