Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| mojo: | ||
| name: Mojo Build and Test | ||
| needs: setup | ||
| uses: newfold-labs/workflows/.github/workflows/module-plugin-test.yml@main | ||
| with: | ||
| module-repo: ${{ github.repository }} | ||
| module-branch: ${{ needs.setup.outputs.branch }} | ||
| plugin-repo: 'newfold-labs/wp-plugin-mojo' |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix this problem, you should explicitly set the permissions key in your workflow YAML to restrict the permissions of the GITHUB_TOKEN. The safest and easiest way is to set the permissions key at the top level of the workflow file, just after the workflow name and before on:. This will apply the specified permissions to all jobs unless overridden by individual permissions keys under specific jobs. If all jobs (including setup) only require read-only access to repo contents and do not need to write or modify anything, you should use contents: read as the minimal permission. If future jobs require additional permissions, you can add those specifically. For now, set:
permissions:
contents: readat the top of the workflow file to minimize risk.
| @@ -1,4 +1,6 @@ | ||
| name: Build and Test Module Updates in Brand Plugins | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| pull_request: | ||
| types: [ opened, reopened, ready_for_review, synchronize ] |
|
Since we're migrating to playwright tests, this can be closed. Once other plugins are updated to support playwright we can add them to that workflow. See #429 |
2 participants
Proposed changes
These were skipped as part of the BH plugin re-design. WIP PR to get these working again.
Type of Change
Production
Development
Visual
Checklist
Further comments