Skip to content

Potential fix for code scanning alert no. 1: Workflow does not contain permissions#256

Merged
RyanDFIR merged 1 commit into
mainfrom
alert-autofix-1
Feb 24, 2026
Merged

Potential fix for code scanning alert no. 1: Workflow does not contain permissions#256
RyanDFIR merged 1 commit into
mainfrom
alert-autofix-1

Conversation

@RyanDFIR

Copy link
Copy Markdown
Owner

Potential fix for https://github.com/obsidianforensics/hindsight/security/code-scanning/1

In general, the fix is to add an explicit permissions block that grants only the minimal scopes needed to run the release drafter workflow. This can be done at the top level of the workflow (applying to all jobs) or specifically under the update_release_draft job. The release-drafter action needs to read repository contents and metadata and to update or create GitHub Releases, which requires contents: write. Other scopes (like full pull-requests or issues write access) are not strictly necessary for basic operation and can remain at their default (implicit read when unspecified in a job with an explicit permissions block).

The single best minimal change here is to add a permissions block to the update_release_draft job, right under runs-on: ubuntu-latest. This keeps the change tightly scoped to this job, documents what it needs, and avoids altering behavior of any other workflows. The block should grant contents: write and set all other implicit permissions to none by virtue of not granting them (GitHub treats unspecified scopes under an explicit permissions as none, except for a couple of implied read behaviors which are limited). No imports or additional methods are needed; this is a pure YAML configuration change within .github/workflows/release-drafter.yml.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@RyanDFIR RyanDFIR marked this pull request as ready for review February 24, 2026 16:39
@RyanDFIR RyanDFIR merged commit 7975699 into main Feb 24, 2026
3 checks passed
@RyanDFIR RyanDFIR deleted the alert-autofix-1 branch February 24, 2026 16:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant