Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
.github/workflows/createrelease.yml
Outdated
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To fix the problem, we need to add a permissions block to limit the GITHUB_TOKEN's scope. This can be done at the root of the workflow (to apply to all jobs), or per job (for fine-grained control). The best approach without functional changes is to insert a top-level permissions: block right after the workflow name: and before the on: key, setting the minimal necessary permissions.
From the workflow, it appears that the jobs mostly use actions such as artifact upload/download and possibly push to package feeds using secrets. By default, actions/upload-artifact and actions/download-artifact do not require special permissions beyond contents: read. None of the jobs appear to require write access to the repository, so setting permissions: contents: read at the root is both safe and least-privilege.
Changes required:
- Insert the following at line 2 (after
name: Release):permissions: contents: read
No other modifications are necessary.
| @@ -1,4 +1,6 @@ | ||
| name: Release | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| release: |
1 participant
closes #651
closes #652
closes #654