Skip to content

Potential fix for code scanning alert no. 248: Workflow does not contain permissions#242

Merged
projectedanx merged 1 commit into
masterfrom
alert-autofix-248
Jul 6, 2026
Merged

Potential fix for code scanning alert no. 248: Workflow does not contain permissions#242
projectedanx merged 1 commit into
masterfrom
alert-autofix-248

Conversation

@projectedanx

Copy link
Copy Markdown
Owner

Potential fix for https://github.com/projectedanx/YOURLS/security/code-scanning/248

Add an explicit permissions block in .github/workflows/defender-for-devops.yml to enforce least privilege for GITHUB_TOKEN.

Best single fix without changing functionality: define workflow-level permissions right after the on: triggers (or after name), granting only what this workflow needs:

  • contents: read (needed for checkout/read repository content)
  • security-events: write (needed by upload-sarif to publish results to Security tab)

This keeps behavior intact while preventing overly broad inherited token scopes.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…ain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Daniel Hart | ALifeInArtifyAI <238904666+projectedanx@users.noreply.github.com>
@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@projectedanx projectedanx marked this pull request as ready for review July 6, 2026 14:32
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@projectedanx projectedanx merged commit d3ccb8a into master Jul 6, 2026
15 of 16 checks passed
@projectedanx projectedanx deleted the alert-autofix-248 branch July 6, 2026 14:33

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 379ded9aaa

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +29 to +31
permissions:
contents: read
security-events: write

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Add actions read for private SARIF uploads

If this workflow runs in a private or internal repository, this explicit permissions block now sets every omitted scope to none, so the later github/codeql-action/upload-sarif@v4 step loses actions: read. GitHub's SARIF upload example marks actions: read as required for private-repository workflows, and the other SARIF-upload workflows in this repo grant it for that reason; without it the upload can fail even though security-events: write is present.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant