Potential fix for code scanning alert no. 6: Workflow does not contain permissions#40
Merged
Conversation
…n permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Sall <59910950+ss-o@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates the zsh-n GitHub Actions workflow to address code scanning alert #6 by explicitly setting minimal GITHUB_TOKEN permissions at the workflow level.
Changes:
- Add a root-level
permissions:block to restrictGITHUB_TOKENtocontents: readfor this workflow.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Pull Request closed and locked due to lack of activity. If you'd like to build on this closed PR, you can clone it using this method: https://stackoverflow.com/a/14969986 Then open a new PR, referencing this closed PR in your message. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Potential fix for https://github.com/z-shell/zbrowse/security/code-scanning/6
In general, the fix is to explicitly declare the minimal
GITHUB_TOKENpermissions required by this workflow, instead of relying on repository/organization defaults. Because both jobs only need to read repository contents (foractions/checkout) and do not perform any write operations via the GitHub API, we can safely setcontents: readat the workflow level. This will apply to both jobs and documents that the workflow requires only read access.The best fix with no functional change is to add a root-level
permissions:block just after thename:(or after theon:section, but root-level) in.github/workflows/zsh-n.yml. For this workflow, a minimal and sufficient block is:This restricts the
GITHUB_TOKENto read-only for repository contents, which still allowsactions/checkoutto function. No other permissions (such aspull-requestsorissues) are needed because the workflow does not interact with those resources. No additional imports or methods are required; it is a pure YAML configuration change.Concretely, in
.github/workflows/zsh-n.yml, insert thepermissionsblock near the top of the file, without modifying any of the existing jobs or steps. All existing behavior (checking out code, finding.zshfiles, runningzsh -nandzcompile) will continue to work unchanged.Suggested fixes powered by Copilot Autofix. Review carefully before merging.