Conversation
dahyehayley
changed the title
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| python-version: ["3.10", "3.11", "3.12", "3.13"] | ||
| node-version: ["24.x"] | ||
| env: | ||
| PLUGIN_API: true | ||
| DJANGO_VITE_DEV_MODE: true | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Install uv and set the python version | ||
| uses: astral-sh/setup-uv@v5 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
|
|
||
| - name: Install Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: ${{ matrix.node-version }} | ||
|
|
||
| - name: Install the project | ||
| run: uv sync --locked --dev | ||
|
|
||
| - name: Install frontend packages | ||
| run: npm --prefix coldfront/static install | ||
|
|
||
| - name: Check for lint violations | ||
| run: uv run ruff check | ||
|
|
||
| - name: Check formatting | ||
| run: uv run ruff format --check | ||
|
|
||
| - name: Check frontend with eslint and prettier | ||
| run: npm --prefix coldfront/static run check | ||
|
|
||
| - name: Compile and bundle frontend static assets | ||
| run: npm --prefix coldfront/static run build | ||
|
|
||
| - name: Check bundled frontend static assets have been commited | ||
| run: | | ||
| if [[ `git status --porcelain` ]]; then | ||
| echo "Error: pre-compiled bundled frontend static assets have not been committed" | ||
| git status | ||
| exit 1 | ||
| else | ||
| echo "Bundled frontend static assets check passed." | ||
| fi | ||
|
|
||
| - name: Check licence with reuse | ||
| run: uv run reuse lint | ||
|
|
||
| - name: Run tests | ||
| run: uv run coldfront test | ||
|
|
||
| - name: Check for migrations | ||
| run: uv run coldfront makemigrations --check |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
To fix the problem, explicitly declare minimal permissions for this workflow so that the automatically provided GITHUB_TOKEN cannot perform unnecessary write operations. For a CI workflow that only checks out code and runs build/test/lint commands, contents: read (and optionally packages: read if private packages are ever used) is typically sufficient.
The best fix without changing existing functionality is to add a workflow-level permissions block near the top of .github/workflows/ci.yml. This will apply to all jobs (there is only build right now) that don’t override permissions. No steps in the shown job require write access to the repository or other resources, so we can safely set contents: read. If you know this workflow needs to read GitHub Packages, you could also include packages: read, but based solely on the snippet we will only add contents: read.
Concretely: in .github/workflows/ci.yml, after the name: CI line and before the on: block, insert:
permissions:
contents: readNo imports or additional methods are required because this is purely a configuration change in the GitHub Actions workflow file.
| @@ -1,5 +1,8 @@ | ||
| name: CI | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| pull_request: |
2 participants
https://github.com/coldfront/coldfront/pull/911/commits