refactor(ci): split CI jobs more granularly#192
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Hub login | ||
| uses: docker/login-action@v3 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| - name: Set up Docker Buildx | ||
| id: buildx | ||
| uses: docker/setup-buildx-action@v3 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Hub login | ||
| uses: docker/login-action@v3 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| - name: Set up Docker Buildx | ||
| id: buildx | ||
| uses: docker/setup-buildx-action@v3 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| name: Unit Tests | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Unit Tests | ||
| run: make unit-tests |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the problem, add a permissions block to the workflow file to explicitly restrict the GITHUB_TOKEN permissions. Since the workflow only checks out code and runs unit tests, it only needs read access to repository contents. The best way to do this is to add permissions: contents: read at the top level of the workflow file, just after the name field and before the on field. This will apply the restriction to all jobs in the workflow. No other changes are needed.
| @@ -1,2 +1,4 @@ | ||
| name: Unit Tests | ||
| permissions: | ||
| contents: read | ||
|
|
3 participants
Adresses #190 (comment)