Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
.github/workflows/createrelease.yml
Outdated
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To fix this, add an explicit permissions: block near the top level of the workflow file, just after the name: (or right after on:), to restrict the GITHUB_TOKEN permissions. The safest default is permissions: {} (no permissions), but often some minimal permissions are needed, e.g., contents: read for workflows that need read access to the codebase. If jobs require other permissions (such as for uploading releases or working with issues), add only those required permissions. Since this workflow appears to only build, upload artifacts, and (optionally) interact with NuGet feeds (which doesn't use the GITHUB_TOKEN), setting contents: read as the default is safe and minimal. If finer control is needed, set permissions at the job level. The file to update is .github/workflows/createrelease.yml, and the change is at the very top of the file, after the name: line.
| @@ -1,4 +1,6 @@ | ||
| name: Release | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| release: |
1 participant
closes #307
closes #313
closes #309