🌿 Fern Regeneration -- August 29, 2025 #29
Conversation
![fern-api[bot]](https://avatars.githubusercontent.com/in/244756?s=60&v=4){kind=small}
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
|
|
||
| - name: Set up Node | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20' | ||
| steps: | ||
| - name: Checkout repo | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Bootstrap | ||
| run: ./scripts/bootstrap | ||
| - name: Set up node | ||
| uses: actions/setup-node@v3 | ||
|
|
||
| - name: Run tests | ||
| run: ./scripts/test | ||
| - name: Compile | ||
| run: yarn && yarn test |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 22 days ago
The best way to remediate this issue is to add a permissions block at the top level of the workflow (under the workflow name and before jobs), specifying that the workflow only needs contents: read access. This will restrict the GITHUB_TOKEN in all jobs of the workflow to only have read access to repository contents, which is sufficient for checkout and building/testing code, and follows the principle of least privilege. No additional methods, imports, or definitions are necessary—just the insertion of the permissions block in the workflow YAML.
| @@ -1,5 +1,8 @@ | ||
| name: ci | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: [push] | ||
|
|
||
| jobs: |
This PR regenerates code to match the latest API Definition.