🌿 Fern Regeneration -- August 31, 2025 #35
Conversation
![fern-api[bot]](https://avatars.githubusercontent.com/in/244756?s=60&v=4){kind=small}
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
.github/workflows/ci.yml
Outdated
| runs-on: ubuntu-latest | ||
|
|
||
| - name: Set up Node | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20' | ||
| steps: | ||
| - name: Checkout repo | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Bootstrap | ||
| run: ./scripts/bootstrap | ||
| - name: Set up node | ||
| uses: actions/setup-node@v3 | ||
|
|
||
| - name: Run tests | ||
| run: ./scripts/test | ||
| - name: Compile | ||
| run: yarn && yarn test |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 20 days ago
To resolve the issue, the .github/workflows/ci.yml workflow should explicitly define a permissions block at the root of the workflow (above jobs:). This block should specify the minimum required permissions for all jobs. Given the jobs in this workflow only check out code and run Node setup and build/test commands (i.e., they do not interact with issues, pull requests, deployments, or other resources), the minimal permission required is contents: read. This will restrict the GITHUB_TOKEN to only be able to read repository contents, and will not allow write or administrative operations. No additional imports or setup is needed; just add the permissions: block to the top-level workflow YAML structure, immediately after the workflow name and before jobs:.
| @@ -2,6 +2,9 @@ | ||
|
|
||
| on: [push] | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| compile: | ||
| runs-on: ubuntu-latest |
This PR regenerates code to match the latest API Definition.