Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
.github/workflows/createrelease.yml
Outdated
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix this vulnerability, you should add the permissions key at the root of your workflow (.github/workflows/createrelease.yml). This will apply the permissions to all jobs unless overwritten at job level. You should explicitly define only the subset of permissions required for the job steps. Most jobs in this workflow only require read access to repository contents for fetching code, and potentially upload/download-artifact permissions; they do not need broad write access. The minimal safe configuration is:
permissions:
contents: readIf specific jobs require more (for example, writing to pull requests, etc.), you can override or add those permissions at the job level. For artifact upload/download, only contents: read and the default artifact permission (which is always permitted) are needed. Add the following block after the workflow name and before on: at the top of the file.
| @@ -1,4 +1,6 @@ | ||
| name: Release | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| release: |
1 participant
closes #1018
closes #1021
closes #1026