Skip to content

Potential fix for code scanning alert no. 1: Workflow does not contain permissions#7

Merged
mtrossbach merged 1 commit into
mainfrom
alert-autofix-1
May 4, 2026
Merged

Potential fix for code scanning alert no. 1: Workflow does not contain permissions#7
mtrossbach merged 1 commit into
mainfrom
alert-autofix-1

Conversation

@mtrossbach
Copy link
Copy Markdown
Member

@mtrossbach mtrossbach commented May 4, 2026

Potential fix for https://github.com/SchwarzDigits/hypermatch/security/code-scanning/1

Add an explicit permissions block to the workflow so GITHUB_TOKEN is limited to least privilege.
The best minimal fix without changing functionality is to define workflow-level permissions right after on: (or before jobs:), with contents: read. This is the minimum CodeQL-recommended baseline and is sufficient for checkout and read operations in this test workflow. If later steps require additional scopes, they can be added explicitly.

File to edit: .github/workflows/go-test.yml
Change: Insert:

permissions:
  contents: read

between the trigger section and jobs:.

No imports, methods, or dependencies are needed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@mtrossbach @github-advanced-security
Potential fix for code scanning alert no. 1: Workflow does not contai…
4f20f37 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@mtrossbach mtrossbach marked this pull request as ready for review May 4, 2026 11:52
@mtrossbach mtrossbach merged commit c7e7ef0 into main May 4, 2026
7 checks passed
@mtrossbach mtrossbach deleted the alert-autofix-1 branch May 4, 2026 11:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mtrossbach