Skip to content

Potential fix for code scanning alert no. 8: Workflow does not contain permissions#12

Merged
majorsilence merged 1 commit into
mainfrom
alert-autofix-8
Mar 19, 2026
Merged

Potential fix for code scanning alert no. 8: Workflow does not contain permissions#12
majorsilence merged 1 commit into
mainfrom
alert-autofix-8

Conversation

@majorsilence
Copy link
Copy Markdown
Member

@majorsilence majorsilence commented Mar 19, 2026

Potential fix for https://github.com/TownSuite/TownSuite.Prometheus.FileSdConfigs/security/code-scanning/8

In general, the fix is to add an explicit permissions block to the workflow (at the root or per job) that grants only the scopes required. For this workflow, the dorny/test-reporter@v2 action reads test result artifacts and creates a check run on the commit; that requires read access to contents and write access to checks (not contents), and potentially read access to actions to download artifacts. We should therefore restrict the token to read for contents and actions, and write only for checks.

The single best fix without changing existing functionality is to add a top-level permissions block (applies to all jobs) just under the workflow name: and on: section. This keeps behavior the same (the action can still create the check run) while reducing unnecessary privileges and clearly documenting the required scopes. No imports or additional files are needed; we only edit .github/workflows/test-report.yml, adding the YAML permissions mapping near the top.

Concretely:

  • In .github/workflows/test-report.yml, insert:
permissions:
  contents: read
  actions: read
  checks: write

between the on: block and the jobs: block. No other lines need to change.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@majorsilence @github-advanced-security
Potential fix for code scanning alert no. 8: Workflow does not contai…
434c2ce 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@majorsilence majorsilence marked this pull request as ready for review March 19, 2026 12:14
Copilot AI review requested due to automatic review settings March 19, 2026 12:14
@majorsilence majorsilence merged commit 736789d into main Mar 19, 2026
5 of 8 checks passed
Copilot AI reviewed Mar 19, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds explicit GitHub Actions token permissions to the test-report workflow to address code scanning alert #8 and ensure the workflow follows least-privilege defaults while preserving current behavior (creating a check run from published test artifacts).

Changes:

  • Adds a top-level permissions block to restrict the workflow token scopes.
  • Grants contents: read, actions: read, and checks: write to support dorny/test-reporter@v2 creating check runs from artifacts.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@majorsilence majorsilence deleted the alert-autofix-8 branch March 19, 2026 12:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@majorsilence