🌿 Fern Regeneration -- August 29, 2025 #30
Conversation
![fern-api[bot]](https://avatars.githubusercontent.com/in/244756?s=60&v=4){kind=small}
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
|
|
||
| - name: Set up Node | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20' | ||
| steps: | ||
| - name: Checkout repo | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Bootstrap | ||
| run: ./scripts/bootstrap | ||
| - name: Set up node | ||
| uses: actions/setup-node@v3 | ||
|
|
||
| - name: Run tests | ||
| run: ./scripts/test | ||
| - name: Compile | ||
| run: yarn && yarn test |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 22 days ago
To fix this problem, you should add a permissions key to the workflow at either the root or job level. Since both jobs (compile and test) do not appear to require elevated permissions (they only perform source checkout, dependency install, build, and test), the minimal contents: read permission is sufficient. The best practice here is to add the permissions block at the top level of the workflow, so it applies to all jobs unless specifically overridden, thus adhering to the principle of least privilege.
To implement:
- Edit
.github/workflows/ci.yml - Add the following block directly below the
name:field and above theon:block to set the minimally required permissions globally:permissions: contents: read
No further code or job modifications are necessary for this fix.
| @@ -1,4 +1,6 @@ | ||
| name: ci | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: [push] | ||
|
|
This PR regenerates code to match the latest API Definition.