Rdkemw 4778: Test #352
Rdkemw 4778: Test #352
Conversation
|
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - run: echo "Triggered" | ||
|
|
||
| call_auto_pr_workflow: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the issue, add an explicit permissions block to the workflow. Since the debug_check job only echoes a message, it requires minimal permissions (e.g., contents: read). The call_auto_pr_workflow job involves calling an external workflow and using secrets, which might require additional permissions, such as contents: read and pull-requests: write. These permissions should be set to the least privilege necessary for the tasks.
| @@ -6,15 +6,22 @@ | ||
| branches: | ||
| - test_develop | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
|
|
||
| jobs: | ||
| debug_check: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - run: echo "Triggered" | ||
|
|
||
| call_auto_pr_workflow: | ||
| #secrets: | ||
| #RDKCM_RDKE: ${{ secrets.RDKCM_RDKE }} | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| uses: rdkcentral/build_tools_workflows/.github/workflows/auto_pr_creation_meta.yml@RDKEMW-4778 | ||
| secrets: | ||
| RDKCM_RDKE: ${{ secrets.RDKCM_RDKE }} |
| uses: rdkcentral/build_tools_workflows/.github/workflows/auto_pr_creation_meta.yml@RDKEMW-4778 | ||
| secrets: | ||
| RDKCM_RDKE: ${{ secrets.RDKCM_RDKE }} | ||
| #runs-on: ubuntu-latest | ||
| #steps: | ||
| # - name: Print placeholder instead of actual logic | ||
| # run: echo "This is a placeholder for the actual logic." |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the issue, we should add a permissions block to explicitly limit the permissions of the GITHUB_TOKEN. The permissions should only allow the minimum necessary access, based on the workflow's functionality. For example:
contents: readis typically required for read-only access to the repository’s contents.- Additional permissions (like
pull-requests: write) can be added if the workflow needs to create or update pull requests.
The permissions block can be added at the workflow level (to apply to all jobs) or at the job level (to be specific to individual jobs). In this case, adding the permissions block at the workflow level ensures all jobs in the workflow inherit these minimal permissions.
| @@ -1,5 +1,9 @@ | ||
| name: Auto PR Creation Caller | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
|
|
||
| on: | ||
| pull_request: | ||
| types: [closed] |
No description provided.