From e85a3c159425c405091028c7fd95baa1bfd2567f Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Thu, 3 Jul 2025 18:54:55 -0400 Subject: [PATCH 01/14] Potential fix for code scanning alert no. 18 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Austen Stone --- .github/workflows/angular.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/angular.yml b/.github/workflows/angular.yml index 9cdc701c..fa66c061 100644 --- a/.github/workflows/angular.yml +++ b/.github/workflows/angular.yml @@ -3,6 +3,9 @@ name: Angular on: workflow_call: +permissions: + contents: read + jobs: build: name: ⚒️ @@ -69,4 +72,6 @@ jobs: name: 🚢 if: startsWith(github.ref, 'refs/tags/') needs: [build, test, lint] + permissions: + contents: write uses: ./.github/workflows/angular.release.yml From 8e212f3fb4af7b21cd67f19408bad31077a499ba Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Thu, 3 Jul 2025 18:55:17 -0400 Subject: [PATCH 02/14] Potential fix for code scanning alert no. 16 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Austen Stone --- .github/workflows/angular.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/angular.yml b/.github/workflows/angular.yml index 9cdc701c..15fde068 100644 --- a/.github/workflows/angular.yml +++ b/.github/workflows/angular.yml @@ -50,6 +50,9 @@ jobs: name: ☁️ if: needs.terraform.outputs.api_key && github.ref == 'refs/heads/main' needs: [terraform] + permissions: + contents: read + deployments: write uses: ./.github/workflows/angular.azure.web.static.deploy.yml with: api_key: ${{ needs.terraform.outputs.api_key }} From e4482364239ef4a63610061efeac8c7b10378c36 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Thu, 3 Jul 2025 18:55:18 -0400 Subject: [PATCH 03/14] Potential fix for code scanning alert no. 15 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Austen Stone --- .github/workflows/angular.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/angular.yml b/.github/workflows/angular.yml index 9cdc701c..d3590daf 100644 --- a/.github/workflows/angular.yml +++ b/.github/workflows/angular.yml @@ -43,6 +43,8 @@ jobs: # skip until we get Azure working # if: 0 needs: [docker, test, lint] + permissions: + contents: read uses: ./.github/workflows/angular.terraform.yml secrets: inherit From 89d004efa564198ba8afac2b593576fc72baf247 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Thu, 3 Jul 2025 18:55:20 -0400 Subject: [PATCH 04/14] Potential fix for code scanning alert no. 14 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Austen Stone --- .github/workflows/angular.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/angular.yml b/.github/workflows/angular.yml index 9cdc701c..bffd4f76 100644 --- a/.github/workflows/angular.yml +++ b/.github/workflows/angular.yml @@ -35,6 +35,8 @@ jobs: name: 🐳 if: startsWith(github.ref, 'refs/tags/') || github.ref == 'refs/heads/main' needs: [build] + permissions: + contents: read uses: ./.github/workflows/angular.docker.yml secrets: inherit From a11e383faa1078960fe09c2bd54345b8a8074801 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Thu, 3 Jul 2025 18:55:23 -0400 Subject: [PATCH 05/14] Potential fix for code scanning alert no. 13 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Austen Stone --- .github/workflows/angular.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/angular.yml b/.github/workflows/angular.yml index 9cdc701c..ce77d9d8 100644 --- a/.github/workflows/angular.yml +++ b/.github/workflows/angular.yml @@ -29,6 +29,9 @@ jobs: name: 🚀 if: github.ref == 'refs/heads/main' needs: [build, test, lint] + permissions: + contents: read + pages: write uses: ./.github/workflows/angular.pages.deploy.yml docker: From 14c5e791d2509dd0ef6bc5e0ae1664ad617a7e8d Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Thu, 3 Jul 2025 18:55:24 -0400 Subject: [PATCH 06/14] Potential fix for code scanning alert no. 12 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Austen Stone --- .github/workflows/angular.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/angular.yml b/.github/workflows/angular.yml index 9cdc701c..170b8b54 100644 --- a/.github/workflows/angular.yml +++ b/.github/workflows/angular.yml @@ -3,6 +3,9 @@ name: Angular on: workflow_call: +permissions: + contents: read + jobs: build: name: ⚒️ From 43bdcb33856a5f7acc14c8df9e5ac59eca7ba1eb Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Thu, 3 Jul 2025 18:55:26 -0400 Subject: [PATCH 07/14] Potential fix for code scanning alert no. 11 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Austen Stone --- .github/workflows/build-test-deploy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build-test-deploy.yml b/.github/workflows/build-test-deploy.yml index 958dc298..bf1b5075 100644 --- a/.github/workflows/build-test-deploy.yml +++ b/.github/workflows/build-test-deploy.yml @@ -1,3 +1,5 @@ +permissions: + contents: read name: CI/CD on: workflow_dispatch: From 6b6ffa2a6d8dda10b5e302e2b84ef004f0efaaf4 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Thu, 3 Jul 2025 18:56:49 -0400 Subject: [PATCH 08/14] Potential fix for code scanning alert no. 8 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Austen Stone --- .github/workflows/angular.terraform.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/angular.terraform.yml b/.github/workflows/angular.terraform.yml index be69127c..d35264f0 100644 --- a/.github/workflows/angular.terraform.yml +++ b/.github/workflows/angular.terraform.yml @@ -1,5 +1,9 @@ name: "Terraform" +permissions: + contents: read + pull-requests: write + on: workflow_call: outputs: From f0d0d328f0013a60ab77c741ebf8686bf96663b6 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Thu, 3 Jul 2025 18:56:51 -0400 Subject: [PATCH 09/14] Potential fix for code scanning alert no. 6 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Austen Stone --- .github/workflows/angular.docker.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/angular.docker.yml b/.github/workflows/angular.docker.yml index aef2fced..73d9d220 100644 --- a/.github/workflows/angular.docker.yml +++ b/.github/workflows/angular.docker.yml @@ -25,6 +25,9 @@ env: jobs: docker: + permissions: + contents: read + packages: write environment: name: DockerHub url: https://hub.docker.com/r/${{ inputs.dockerhub-username }}/${{ github.event.repository.name }} @@ -50,6 +53,9 @@ jobs: images: ${{ inputs.dockerhub-username }}/${{ github.event.repository.name }} docker-ghcr: + permissions: + contents: read + packages: write environment: name: GitHub Container Registry url: https://github.com/${{ github.event.repository.owner.login }}/${{ github.event.repository.name }}/pkgs/container/${{ github.event.repository.name }} From 0b4bf78d4c9abb08a29716fc4ab87618bfebe997 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Thu, 3 Jul 2025 18:56:53 -0400 Subject: [PATCH 10/14] Potential fix for code scanning alert no. 5 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Austen Stone --- .github/workflows/angular.lint.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/angular.lint.yml b/.github/workflows/angular.lint.yml index 62e40484..bf3f0759 100644 --- a/.github/workflows/angular.lint.yml +++ b/.github/workflows/angular.lint.yml @@ -3,6 +3,9 @@ name: Lint on: workflow_call: +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest From 3509acbaad93367d009ba2bd63cd0f0294d23a64 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Thu, 3 Jul 2025 18:56:55 -0400 Subject: [PATCH 11/14] Potential fix for code scanning alert no. 4 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Austen Stone --- .github/workflows/angular.docker.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/angular.docker.yml b/.github/workflows/angular.docker.yml index aef2fced..e70fa420 100644 --- a/.github/workflows/angular.docker.yml +++ b/.github/workflows/angular.docker.yml @@ -1,5 +1,10 @@ name: Docker Deploy +permissions: + contents: read + packages: write + actions: write + on: workflow_call: inputs: From d17d82c5c384705a3bfa3b7f1557824ca406551e Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Thu, 3 Jul 2025 18:56:57 -0400 Subject: [PATCH 12/14] Potential fix for code scanning alert no. 3 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Austen Stone --- .github/workflows/angular.build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/angular.build.yml b/.github/workflows/angular.build.yml index 9a3f7a89..0ccc6c44 100644 --- a/.github/workflows/angular.build.yml +++ b/.github/workflows/angular.build.yml @@ -12,6 +12,10 @@ on: required: false type: string +permissions: + contents: read + actions: write + jobs: build: runs-on: ${{ inputs.runs-on }} From 6fa029b1ab3151cf02c1ccde280c9cb4a9e43861 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Thu, 3 Jul 2025 18:56:59 -0400 Subject: [PATCH 13/14] Potential fix for code scanning alert no. 2 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Austen Stone --- .github/workflows/angular.azure.web.static.deploy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/angular.azure.web.static.deploy.yml b/.github/workflows/angular.azure.web.static.deploy.yml index ed9936a8..3a169322 100644 --- a/.github/workflows/angular.azure.web.static.deploy.yml +++ b/.github/workflows/angular.azure.web.static.deploy.yml @@ -1,3 +1,5 @@ +permissions: + contents: read name: Azure Static Site Deploy on: From 4ac0172c2748a6aaaa1e5afd402bdbccad3c91a5 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Thu, 3 Jul 2025 18:57:01 -0400 Subject: [PATCH 14/14] Potential fix for code scanning alert no. 1 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Austen Stone --- .github/workflows/angular.azure.web.app.deploy.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/angular.azure.web.app.deploy.yml b/.github/workflows/angular.azure.web.app.deploy.yml index 6ebcf7f1..b9b96b6a 100644 --- a/.github/workflows/angular.azure.web.app.deploy.yml +++ b/.github/workflows/angular.azure.web.app.deploy.yml @@ -11,6 +11,9 @@ on: required: true type: string +permissions: + contents: read + jobs: azure-web-app: runs-on: ubuntu-latest