Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Push images to Artifactory (${{ matrix.image_stream }}) | ||
| needs: [set-version, set-pre-release, deploy] | ||
| strategy: | ||
| matrix: | ||
| image_stream: | ||
| - cthub-backend | ||
| - cthub-frontend | ||
| uses: ./.github/workflows/push-images-to-artifactory.yaml | ||
| with: | ||
| env: dev | ||
| app_name: zeva | ||
| image_stream: ${{ matrix.image_stream }} | ||
| image_tag: ${{ needs.set-version.outputs.version }}-${{ needs.set-pre-release.outputs.output1 }} | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 22 days ago
Generally, the issue is fixed by adding an explicit permissions block either at the workflow root (to apply to all jobs without their own block) or on specific jobs, granting only the minimal read/write scopes necessary. For jobs that do not interact with the repository via the API, permissions: contents: read is usually sufficient; for jobs that create commits, push branches, or otherwise need to write via GITHUB_TOKEN, appropriate write scopes (such as contents: write) are added.
For this workflow, the simplest and safest fix without changing any existing behavior is:
- Add a root-level
permissionssection that setscontents: readas the default for all jobs. - Override
permissionson thedeployjob to grantcontents: writebecause it runs git commit/push commands that (if they useGITHUB_TOKENat any point) require write access to repository contents. Thepush-to-artifactoryjob is a reusable workflow invocation; since we cannot see its internals, the conservative step is to let it inherit the root default (contents: read), which is sufficient for typical image-tag reading and logging. If that reusable workflow needs more, it should define its ownpermissions.
Concretely:
- In
.github/workflows/dev-ci.yaml, add a newpermissions:block after theon:block at the top of the file:
permissions:
contents: read- In the same file, under the
deploy:job definition (line 137 onward), add apermissions:block:
deploy:
name: Deploy CTHUB on Dev
runs-on: ubuntu-latest
timeout-minutes: 60
needs: [set-version, set-pre-release, build]
permissions:
contents: writeNo additional imports or dependencies are required; this is a pure YAML configuration change.
| @@ -11,6 +11,9 @@ | ||
| # - backend/** | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| env: | ||
| GIT_URL: https://github.com/bcgov/cthub.git | ||
| TOOLS_NAMESPACE: ${{ secrets.OPENSHIFT_NAMESPACE_PLATE }}-tools | ||
| @@ -139,6 +142,8 @@ | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 60 | ||
| needs: [set-version, set-pre-release, build] | ||
| permissions: | ||
| contents: write | ||
|
|
||
| env: | ||
| VERSION: ${{ needs.set-version.outputs.version }} |
1 participant
No description provided.