Conversation
kubestellar-prow
bot
added
the
dco-signoff: no
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits. 📝 Please follow instructions in the contributing guide to update your commits with the DCO Full details of the Developer Certificate of Origin can be found at developercertificate.org. The list of commits missing DCO signoff:
DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
kubestellar-prow
bot
added
the
size/L
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| uses: kubestellar/infra/.github/workflows/reusable-scorecard.yml@main | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
In general, to fix this issue, the workflow or its jobs must declare a permissions: block that limits the GITHUB_TOKEN to the minimum capabilities required. This can be done at the top (workflow) level so it applies to all jobs that don’t override it, or per job.
For this specific file, the best fix with minimal functional change is to add a workflow-level permissions: block just below the on: section. OpenSSF Scorecard typically needs read access to repository contents and security-related metadata; the conservative and commonly recommended baseline is:
permissions:
contents: readThis grants only read access to repository contents and leaves everything else at none. If the called reusable workflow needs more (for example, security-events: write to upload SARIF to code scanning), that would be configured there; here we just ensure we are not implicitly giving broad write permissions.
Concretely:
-
Edit
.github/workflows/scorecard.yml. -
After the
on:block (after line 9 in the provided snippet), insert:permissions: contents: read
-
Leave the
jobs.analysis.usesandsecrets: inheritlines unchanged.
No new imports or additional methods are needed because this is purely a YAML configuration change.
| @@ -8,6 +8,9 @@ | ||
| branches: [ "main" ] | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| analysis: | ||
| uses: kubestellar/infra/.github/workflows/reusable-scorecard.yml@main |
|
🎉 Thank you for your contribution! Your PR has been successfully merged. 🌟 Help KubeStellar Grow - We Need Adopters! Our roadmap is driven entirely by adopter feedback - nothing else. Whether you're using KubeStellar yourself or know organizations that could benefit from multi-cluster Kubernetes, we need your help: 📋 Take our Multi-Cluster Survey - Share your use cases and help shape our direction! 🗣️ Spread the word - Tell colleagues, write blog posts, present at meetups 💬 Share feedback on Slack #kubestellar-dev Every adopter story helps us prioritize what matters most. Thank you for being part of the KubeStellar community! |
clubanderson
added
the
kind/cleanup
3 participants
This PR syncs the caller workflows from
kubestellar/.github.These workflows call reusable workflows from
kubestellar/infra:add-help-wanted.ymlassignment-helper.ymlfeedback.ymlgreetings.ymllabel-helper.ymlpr-verifier.ymlpr-verify-title.ymlscorecard.yml🤖 Auto-generated by workflow sync