Fix CodeQL workflow errors by pinning actions to full commit SHAs#3
Conversation
- Create security.yml workflow with CodeQL v3 (replacing deprecated v2) - Pin all GitHub Actions to full 40-character commit SHAs as required by org policy - Updated workflows: ci.yml, codeql.yml, jekyll-gh-pages.yml, security.yml This resolves the "all actions must be pinned to a full-length commit SHA" errors and updates CodeQL actions to v3 to address the v2 deprecation warning.
hyperpolymath
deleted the
claude/fix-codeql-syntax-014WxHnQ1TZWXoHxf8HLnAjh
branch
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: NPM Audit | ||
|
|
||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | ||
| with: | ||
| node-version: '18.x' | ||
| cache: 'npm' | ||
|
|
||
| - name: Run npm audit | ||
| run: npm audit --audit-level=moderate | ||
| continue-on-error: true | ||
|
|
||
| - name: Run npm audit (production only) | ||
| run: npm audit --production --audit-level=high | ||
|
|
||
| codeql: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix this issue, we should add a permissions block to the npm-audit job, specifying only the necessary permissions. For typical audit jobs, the contents: read permission is sufficient, ensuring the job can read the repository code but cannot write to it or make repository changes. The change should be added directly under the job definition (below the name: NPM Audit line and above runs-on). No further imports or methods are necessary—simply add the correct YAML configuration. No other jobs or workflow-level changes are necessary, as each job can declare its own block.
| @@ -12,6 +12,8 @@ | ||
| jobs: | ||
| npm-audit: | ||
| name: NPM Audit | ||
| permissions: | ||
| contents: read | ||
|
|
||
| runs-on: ubuntu-latest | ||
|
|
| name: Dependency Review | ||
|
|
||
| runs-on: ubuntu-latest | ||
|
|
||
| if: github.event_name == 'pull_request' | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | ||
|
|
||
| - name: Dependency Review | ||
| uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2 | ||
| with: | ||
| fail-on-severity: moderate | ||
|
|
||
| snyk: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix the problem, we need to add a permissions block to the dependency-review job in the workflow and set contents: read. This grants only the minimal required permission for the job and action, thus adhering to the principle of least privilege.
- Add a block:
permissions: contents: read
- This block should be placed immediately under
dependency-review:(at the same indentation asname,runs-on, etc.). - No additional imports, methods, or variable definitions are needed.
| @@ -59,6 +59,9 @@ | ||
|
|
||
| runs-on: ubuntu-latest | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| if: github.event_name == 'pull_request' | ||
|
|
||
| steps: |
| name: Snyk Security Scan | ||
|
|
||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | ||
|
|
||
| - name: Run Snyk to check for vulnerabilities | ||
| uses: snyk/actions/node@9adf32b1121593767fc3c057af55b55db032dc04 # v1.0.0 | ||
| continue-on-error: true | ||
| env: | ||
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
| with: | ||
| args: --severity-threshold=high |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix the problem, we should add a permissions block to the snyk job to restrict the GITHUB_TOKEN permissions to the minimum necessary. For Snyk, which only needs to read code to perform vulnerability analysis, contents: read is sufficient. This change should be made by editing the .github/workflows/security.yml file:
- Add a
permissions:block under thesnyk:job, before theruns-on:key, and indent it to match nearby keys. - Set
contents: readunderpermissions.
No other changes, imports, or definitions are needed.
| @@ -73,6 +73,8 @@ | ||
| snyk: | ||
| name: Snyk Security Scan | ||
|
|
||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: |
#3 isolated commit. ONLY placeholder SPDX lines staged; repo's other uncommitted WIP deliberately left untouched/unstaged. PLMP/PMLP + doubled = scaffold artifacts (LICENCE-POLICY.adoc A5), NOT relicensing. Diff-shape asserted (SPDX-only). Refs standards LICENCE-POLICY.adoc A5. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> (cherry picked from commit 375771c)
…#51) #3 isolated pass (pilot #32-shape). Scaffold-placeholder leak per `standards/LICENCE-POLICY.adoc` **A5** — NOT relicensing. -> `PMPL-1.0-or-later`. **3 file(s).** Isolated mode (if dirty) stages ONLY placeholder lines; repo WIP untouched. Gates: per-file clean check, diff-shape asserted, auto-revert on anomaly. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3 participants
This resolves the "all actions must be pinned to a full-length commit SHA" errors and updates CodeQL actions to v3 to address the v2 deprecation warning.