Skip to content

Potential fix for code scanning alert no. 6: Workflow does not contain permissions #239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bootjp merged 3 commits into from
Sep 14, 2025
Merged

Potential fix for code scanning alert no. 6: Workflow does not contain permissions #239

bootjp merged 3 commits into from
Sep 14, 2025

Conversation

@bootjp
Copy link
Owner

@bootjp bootjp commented Sep 14, 2025

Potential fix for https://github.com/bootjp/elastickv/security/code-scanning/6

The best fix is to add a permissions block that grants only the minimum set of required permissions for the job. In this case:

  • At a minimum, the job needs contents: read for standard repository access.
  • Since the workflow logs in and pushes an image to the GitHub Container Registry, it also needs packages: write.
  • The permissions block can be added at the workflow root (to apply to all jobs) or per job (beneath jobs.build). Here, both approaches are acceptable; adding it at the root is usually preferable for future clarity and to avoid unintentional privilege escalation in new jobs.
  • No external package dependencies are needed; this is a single addition to the YAML configuration.

Add the following block after the workflow name: and before on::

permissions:
  contents: read
  packages: write

No further code changes are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

bootjp and others added 3 commits September 15, 2025 01:53
@bootjp @github-advanced-security
Potential fix for code scanning alert no. 6: Workflow does not contai…
229274e 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@bootjp
Merge branch 'main' into alert-autofix-6
f8808d2
@bootjp
Merge branch 'main' into alert-autofix-6
bcdd856
@bootjp bootjp marked this pull request as ready for review September 14, 2025 17:54
@bootjp bootjp merged commit 0025aff into main Sep 14, 2025
7 checks passed
@bootjp bootjp deleted the alert-autofix-6 branch September 14, 2025 17:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bootjp