Skip to content

Potential fix for code scanning alert no. 247: Workflow does not contain permissions#243

Merged
projectedanx merged 2 commits into
masterfrom
alert-autofix-247
Jul 6, 2026
Merged

Potential fix for code scanning alert no. 247: Workflow does not contain permissions#243
projectedanx merged 2 commits into
masterfrom
alert-autofix-247

Conversation

@projectedanx

Copy link
Copy Markdown
Owner

Potential fix for https://github.com/projectedanx/YOURLS/security/code-scanning/247

Add explicit permissions blocks so the workflow no longer depends on repository defaults, while preserving behavior.

Best fix in this file:

  1. Add a root-level permissions with minimal read access (contents: read) for general jobs.
  2. Add a job-level permissions override for resonance-report to grant only what it needs to create a commit comment (contents: write).

Edits are only needed in .github/workflows/PTR.yml:

  • Insert workflow-level permissions after the on: block (before jobs:).
  • Insert job-level permissions inside resonance-report job.

No imports, methods, or external definitions are needed for YAML workflow changes.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…ain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Daniel Hart | ALifeInArtifyAI <238904666+projectedanx@users.noreply.github.com>
@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@projectedanx projectedanx marked this pull request as ready for review July 6, 2026 14:34
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 19401a0914

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/PTR.yml
runs-on: ubuntu-24.04
if: always()
permissions:
contents: write

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Avoid granting write access for commit comments

The only GitHub API call in this job is github.rest.repos.createCommitComment, and GitHub's REST docs for “Create a commit comment” list the required fine-grained permission as "Contents" repository permissions (read). Granting contents: write gives every action/script in this scheduled/manual reporter job a repository-write token if an action is compromised or the script is later expanded, so keep this at contents: read or omit the job override to preserve least privilege.

Useful? React with 👍 / 👎.

@projectedanx projectedanx merged commit 70ac36a into master Jul 6, 2026
21 of 22 checks passed
@projectedanx projectedanx deleted the alert-autofix-247 branch July 6, 2026 14:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant