Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
.github/workflows/createrelease.yml
Outdated
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
General fix:
Explicitly set the permissions key either at the workflow root (affecting all jobs that do not have their own permissions block) or for each job individually. Set the minimal permissions required for the job(s). If unsure of minimal permissions, use contents: read as a securing default, then escalate only as required for specific steps (e.g., pull-requests: write if modifying PRs).
Best specific fix:
Because the flag was highlighted at the deployproduction job (starting at line 111), and to avoid potential impacts on job inheritance, it makes sense to add a permissions: {} block to the deployproduction job, explicitly limiting the token permissions to none unless further privileges are required by steps in this job.
Implementation steps:
- Add
permissions: {}as the first property under thedeployproduction:job definition (just after line 111). - No new methods, imports, or variable definitions are required; this is a YAML structure-only change.
| @@ -109,6 +109,7 @@ | ||
|
|
||
| deployproduction: | ||
| runs-on: [productionserver, windows] | ||
| permissions: {} | ||
| needs: [build, deploystaging] | ||
| environment: production | ||
| name: "Deploy to Production" |
1 participant
closes #1466
closes #1462
closes #1423