Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: semver | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Check semver | ||
| uses: obi1kenobi/cargo-semver-checks-action@v2 | ||
|
|
||
| release: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 14 days ago
In general, this should be fixed by explicitly specifying a minimal permissions block for any job that currently relies on implicit repository defaults. For the semver job, it only needs to read repository contents to run actions/checkout and perform semver checks, so contents: read is sufficient.
Concretely, in .github/workflows/release.yml, we will add a permissions section under the semver job (around lines 10–12), parallel to how the release job already declares permissions. The block will set contents: read, which is the minimal permission for checking out the repository. No changes to the release job, steps, or any other files are needed, and no new imports or methods are required.
| @@ -9,6 +9,8 @@ | ||
| semver: | ||
| name: semver | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Check semver |
2 participants
No description provided.