chore: add template sync workflow #2354
Conversation
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
github-actions
bot
added
ci
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Sync Files | ||
| uses: BetaHuhn/repo-file-sync-action@v1 | ||
| with: | ||
| GH_PAT: ${{ secrets.GH_PAT }} | ||
| CONFIG_PATH: .github/sync.yml | ||
| PR_LABELS: sync | ||
| COMMIT_PREFIX: "chore: sync from DockSTARTer" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 22 days ago
In general, fix this by adding a permissions: block that explicitly restricts the default GITHUB_TOKEN permissions to the minimal scopes needed. This can be done at the workflow root (applies to all jobs without their own permissions) or at the job level. Since there is only one job (sync), adding permissions: under that job is clear and localized.
The BetaHuhn/repo-file-sync-action typically needs to push changes and/or open PRs in target repositories. That requires at least contents: write and pull-requests: write on GITHUB_TOKEN if it uses that token. However, this workflow passes a PAT via GH_PAT, which the action uses for cross‑repo operations. The GITHUB_TOKEN is still used implicitly by Actions for some operations (e.g., commenting on PRs in this repo, if configured). To remain safe while preserving functionality, we can grant contents: read globally and only what’s obviously needed as write. For a conservative, least‑privilege configuration that still supports repo‑file‑sync’s typical workflow of creating commits and PRs, define:
permissions:
contents: write
pull-requests: writeInsert this under jobs: sync: on line 15, just before runs-on. No imports or external definitions are needed—only the YAML change in .github/workflows/sync_templates.yml.
| @@ -12,6 +12,9 @@ | ||
|
|
||
| jobs: | ||
| sync: | ||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout |
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Sync Files | ||
| uses: BetaHuhn/repo-file-sync-action@v1 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
Adds a workflow to auto-sync .apps and docs/apps to DockSTARTer-Templates on push.