From 80cbc9531cc17f7718e95eb4def594aa4797315a Mon Sep 17 00:00:00 2001 From: Vinod Date: Wed, 20 Aug 2025 17:17:37 +0200 Subject: [PATCH 1/7] Potential fix for code scanning alert no. 644: Shell command built from environment values Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- build/azure-pipelines/publish-types/update-types.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/azure-pipelines/publish-types/update-types.ts b/build/azure-pipelines/publish-types/update-types.ts index 0f99b07c..3bb02b7a 100644 --- a/build/azure-pipelines/publish-types/update-types.ts +++ b/build/azure-pipelines/publish-types/update-types.ts @@ -16,7 +16,7 @@ try { const dtsUri = `https://raw.githubusercontent.com/microsoft/vscode/${tag}/src/vscode-dts/vscode.d.ts`; const outPath = path.resolve(process.cwd(), 'DefinitelyTyped/types/vscode/index.d.ts'); - cp.execSync(`curl ${dtsUri} --output ${outPath}`); + cp.execFileSync('curl', [dtsUri, '--output', outPath]); updateDTSFile(outPath, tag); From 2b07928b4efe42f3c2ea1a06c43ea3ee71fcb741 Mon Sep 17 00:00:00 2001 From: Vinod Date: Wed, 20 Aug 2025 17:19:03 +0200 Subject: [PATCH 2/7] Potential fix for code scanning alert no. 678: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/markdownlint.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/markdownlint.yml b/.github/workflows/markdownlint.yml index a4d1e88f..4db9dd90 100644 --- a/.github/workflows/markdownlint.yml +++ b/.github/workflows/markdownlint.yml @@ -1,6 +1,8 @@ # Markdown Lint # This workflow runs markdownlint on all Markdown files in the repository name: Markdown Lint +permissions: + contents: read on: push: From 79d25578be5fc9cfaf83dc88d39aca7fbe4cdfd8 Mon Sep 17 00:00:00 2001 From: Vinod Date: Wed, 20 Aug 2025 17:20:09 +0200 Subject: [PATCH 3/7] Potential fix for code scanning alert no. 667: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/metrics.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/metrics.yml b/.github/workflows/metrics.yml index 0efbe638..e3e89090 100644 --- a/.github/workflows/metrics.yml +++ b/.github/workflows/metrics.yml @@ -1,6 +1,8 @@ # GitHub Metrics # This workflow generates a metrics SVG and commits it to the repository name: Metrics Embed +permissions: + contents: write on: schedule: [{cron: "0 0 * * 0"}] # every week From 7edd90dea19e82739aec4d6ecaa01e3f723cabf9 Mon Sep 17 00:00:00 2001 From: Vinod Date: Wed, 20 Aug 2025 17:21:12 +0200 Subject: [PATCH 4/7] Potential fix for code scanning alert no. 655: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/gosec.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml index 02d04a47..e9dd9462 100644 --- a/.github/workflows/gosec.yml +++ b/.github/workflows/gosec.yml @@ -1,6 +1,8 @@ # GoSec Security Checker # This workflow runs gosec to check Go code for security issues name: GoSec Security Checker +permissions: + contents: read on: push: From b8f2d18b91317ec42d5fc26605a74826e70f614b Mon Sep 17 00:00:00 2001 From: Vinod Date: Wed, 20 Aug 2025 17:22:28 +0200 Subject: [PATCH 5/7] Potential fix for code scanning alert no. 649: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/pylint.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pylint.yml b/.github/workflows/pylint.yml index 4bf75e0c..0a6b4a79 100644 --- a/.github/workflows/pylint.yml +++ b/.github/workflows/pylint.yml @@ -1,3 +1,5 @@ +permissions: + contents: read name: Pylint on: [push] From 4687cbdd1bb1d09242b719602a358097e7bdac0d Mon Sep 17 00:00:00 2001 From: Vinod Date: Wed, 20 Aug 2025 17:22:53 +0200 Subject: [PATCH 6/7] Potential fix for code scanning alert no. 643: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/python-docs.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/python-docs.yml b/.github/workflows/python-docs.yml index 7ab6a7fa..5a3fd91b 100644 --- a/.github/workflows/python-docs.yml +++ b/.github/workflows/python-docs.yml @@ -1,6 +1,8 @@ # Python Auto Documentation # This workflow auto-generates documentation using Sphinx name: Python Auto Documentation +permissions: + contents: read on: push: From c6cc1a2148c254989f8df5c16bb5e9308fa10df1 Mon Sep 17 00:00:00 2001 From: Vinod Date: Wed, 20 Aug 2025 17:23:19 +0200 Subject: [PATCH 7/7] Potential fix for code scanning alert no. 641: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/python-style.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/python-style.yml b/.github/workflows/python-style.yml index ce01c013..d1c6fc7f 100644 --- a/.github/workflows/python-style.yml +++ b/.github/workflows/python-style.yml @@ -1,6 +1,8 @@ # Python Style Check # This workflow checks Python code style using flake8 name: Python Style Check +permissions: + contents: read on: push: