Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| container: | ||
| image: xd009642/tarpaulin:develop-nightly | ||
| options: --security-opt seccomp=unconfined | ||
| services: | ||
| redis: | ||
| image: redis:5.0.7 | ||
| ports: | ||
| - 6379:6379 | ||
| options: --entrypoint redis-server | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
| - name: Install Protoc | ||
| uses: arduino/setup-protoc@v1 | ||
| - name: Install Redis | ||
| run: | | ||
| apt-get update | ||
| apt-get install -y redis-server | ||
| redis-server --daemonize yes | ||
| redis-cli ping | ||
| - name: Generate code coverage | ||
| run: | | ||
| cargo +nightly tarpaulin --verbose --all-features --workspace --timeout 120 --out xml | ||
| - name: Upload To codecov.io | ||
| uses: codecov/codecov-action@v3 | ||
| with: | ||
| token: ${{secrets.CODECOV_TOKEN}} No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix the problem, we should add an explicit permissions block to the job that is missing it. This block should specify the least privileges required. In this workflow, the job cover does not appear to need to write back to the repository (it only checks out code, installs dependencies, runs tests, and uploads coverage results). Therefore, setting permissions: contents: read at the job level (just above runs-on:) ensures only read access to repository contents, adhering to the principle of least privilege. No new imports or action changes are needed; only the YAML configuration is updated.
| @@ -7,6 +7,8 @@ | ||
|
|
||
| jobs: | ||
| cover: | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
| container: | ||
| image: xd009642/tarpaulin:develop-nightly |
2 participants
No description provided.