Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| container: | ||
| image: xd009642/tarpaulin:develop-nightly | ||
| options: --security-opt seccomp=unconfined | ||
| services: | ||
| redis: | ||
| image: redis:5.0.7 | ||
| ports: | ||
| - 6379:6379 | ||
| options: --entrypoint redis-server | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
| - name: Install Protoc | ||
| uses: arduino/setup-protoc@v1 | ||
| - name: Install Redis | ||
| run: | | ||
| apt-get update | ||
| apt-get install -y redis-server | ||
| redis-server --daemonize yes | ||
| redis-cli ping | ||
| - name: Generate code coverage | ||
| run: | | ||
| cargo +nightly tarpaulin --verbose --all-features --workspace --timeout 120 --out xml | ||
| - name: Upload To codecov.io | ||
| uses: codecov/codecov-action@v3 | ||
| with: | ||
| token: ${{secrets.CODECOV_TOKEN}} No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix this issue, you should add a permissions block to the workflow so that the GitHub Actions job runs with the minimal necessary privileges. In this case, the workflow performs a code checkout and uploads code coverage data to an external service. Thus, it only needs to read repository contents. Insert permissions: contents: read at the top level of the workflow file, directly after the workflow name, so that it applies to all jobs in the workflow. No other methods, imports, or definitions are required for this edit; a single line suffices.
| @@ -1,4 +1,6 @@ | ||
| name: Code Coverage | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
2 participants
No description provided.