Conversation
Signed-off-by: Ivan P <2119240+i5okie@users.noreply.github.com>
Signed-off-by: Ivan P <2119240+i5okie@users.noreply.github.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Validate Chart Index | ||
| runs-on: ubuntu-latest | ||
| if: github.repository_owner == 'bcgov' | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: gh-pages | ||
| - name: Download remote index file and check equality | ||
| run: | | ||
| curl -vsSL https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }}/index.yaml > index.yaml.remote | ||
| LOCAL="$(md5sum < index.yaml)" | ||
| REMOTE="$(md5sum < index.yaml.remote)" | ||
| echo "$LOCAL" = "$REMOTE" | ||
| test "$LOCAL" = "$REMOTE" | ||
|
|
||
| chart-release: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, add a permissions block to the workflow or to each job, specifying the minimal required permissions. Since the validate-chart-index job only checks out code and downloads files, it only needs contents: read. The chart-release job may require contents: write if it pushes changes or creates releases, but as a minimal starting point, we can set contents: read and escalate only if necessary. The best practice is to add the permissions block at the workflow root so it applies to all jobs, unless a job needs different permissions. This change should be made at the top level of .github/workflows/chart_release.yaml, after the name field and before on:.
| @@ -1,3 +1,5 @@ | ||
| permissions: | ||
| contents: read | ||
| name: Helm Chart Release | ||
|
|
||
| on: |
| name: Create and Publish Chart Release | ||
| runs-on: ubuntu-latest | ||
| if: github.repository_owner == 'bcgov' | ||
| needs: [ validate-chart-index ] | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Configure Git | ||
| run: | | ||
| git config user.name "$GITHUB_ACTOR" | ||
| git config user.email "$GITHUB_ACTOR@users.noreply.github.com" | ||
| - name: Install Helm | ||
| uses: azure/setup-helm@v4 | ||
| - name: Release workload charts | ||
| uses: ./.github/actions/chart_releaser | ||
| with: | ||
| config: .github/cr.yaml | ||
| env: | ||
| CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, you should add a permissions block to the workflow, specifying the minimal required permissions for the jobs. Since the workflow contains two jobs (validate-chart-index and chart-release), and the main concern is the use of the GITHUB_TOKEN (especially in the chart-release job), you should set contents: read at the workflow level as a minimal starting point. If the jobs require additional permissions (such as contents: write or packages: write), you can add those as needed, but the minimal fix is to add permissions: contents: read at the top level of the workflow. This change should be made near the top of the file, after the name and before the on block.
| @@ -1,5 +1,8 @@ | ||
| name: Helm Chart Release | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| tags: |
Signed-off-by: Ivan P <2119240+i5okie@users.noreply.github.com>
2 participants
Uh oh!
There was an error while loading. Please reload this page.