Conversation
|
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
.github/workflows/tests.yaml
Outdated
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
The best way to fix this problem is to add an explicit permissions block to the workflow file. Since none of the jobs in the provided YAML require elevated or write permissions for the GITHUB_TOKEN (all actions are reading code or reporting coverage via a script), the minimal permission set can be contents: read. This should be placed at the top level of the workflow to apply to all jobs, unless any job requires elevated permissions (which, in the shown snippet, none does). You would add the block just after the workflow name (e.g., after line 1 or 2), before specifying the on field.
| @@ -1,4 +1,6 @@ | ||
| name: Tests | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: [ push, pull_request ] | ||
|
|
titanxxh
force-pushed
the
fix/some-issues
branch
3 times, most recently
from
2c8482d to
5ef3b26
Compare
| @@ -16,29 +16,18 @@ jobs: | |||
| - name: Check Spell | |||
| uses: crate-ci/typos@v1.13.14 | |||
|
|
|||
| staticcheck: | |||
| runs-on: [ self-hosted, X64 ] | |||
| # 用一个新的、更强大的 linter 作业替换 staticcheck | |||
| linter: | |||
| runs-on: [ self-hosted, X64, Linux ] | |||
| steps: | |||
| - uses: actions/checkout@v3 | |||
| - name: Set up Go | |||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, you should add a permissions block to the workflow to restrict the GITHUB_TOKEN permissions used by default. The block can be added at the root of the workflow (recommended for this case), which applies to all jobs unless overridden. The minimal starting point suggested by CodeQL is contents: read, which is appropriate because the jobs only need to check out code and run analysis—they do not need to write to the repository or interact with issues/pull requests. Specifically, insert the following block after the name and before on:
permissions:
contents: readNo further code or dependency changes are required.
| @@ -1,4 +1,6 @@ | ||
| name: Pull Request Check | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: [ pull_request ] | ||
|
|
titanxxh
force-pushed
the
fix/some-issues
branch
from
5ef3b26 to
8fc4770
Compare
.github/workflows/pre_check.yaml
Outdated
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the detected issue, add an explicit permissions block scoped as tightly as necessary. The best place is at the root level of the workflow file (i.e., directly under the name and before on or jobs). This default will apply to all jobs in the workflow unless overridden. Since all jobs in this workflow are performing read-only checks, the minimal required permission is contents: read.
Steps:
- Insert a
permissions:block with the appropriate permissions. - Place it directly after the
name:declaration and beforeon:. - No further changes to workflow steps or jobs are necessary.
| @@ -1,4 +1,6 @@ | ||
| name: Pull Request Check | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: [ pull_request ] | ||
|
|
titanxxh
force-pushed
the
fix/some-issues
branch
5 times, most recently
from
1c441b7 to
b92494b
Compare
perf: change to dirt make fix: remove empty slice chore: use syscall in x/sys/unix ci: change golint
titanxxh
force-pushed
the
fix/some-issues
branch
from
b92494b to
9b89d31
Compare
4 participants
What type of PR is this?
perf: change to dirt make
fix: remove empty slice
chore: use syscall in x/sys/unix
ci: change golint
Check the PR title.
(Optional) Translate the PR title into Chinese.
(Optional) More detailed description for this PR(en: English/zh: Chinese).
en:
zh(optional):
(Optional) Which issue(s) this PR fixes:
(optional) The PR that updates user documentation: