autoupdate git action#1523
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: autoupdate | ||
| runs-on: ubuntu-22.04 | ||
| steps: | ||
| - uses: docker://chinthakagodawita/autoupdate-action:v1 | ||
| env: | ||
| GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | ||
| PR_FILTER: "all" | ||
| PR_READY_STATE: "ready_for_review" | ||
| MERGE_MSG: "Auto-updated branch with latest changes from main" | ||
| RETRY_COUNT: "2" | ||
| RETRY_SLEEP: "60000" | ||
| MERGE_CONFLICT_ACTION: "fail" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
In general, the fix is to explicitly declare a permissions block so that the GITHUB_TOKEN has only the scopes required for this job. Since this workflow auto-updates PR branches, it needs to read repository contents and update pull requests (and possibly their branches). A common minimal set is contents: write (to push branch updates) and pull-requests: write (to update PR metadata/status if needed). If you know the action only touches branches and not PR metadata, you could restrict to contents: write, but to avoid breaking existing functionality, we’ll allow both.
The best fix without altering existing behavior is to add a permissions block at the job level for autoupdate. This keeps the change local to this workflow and avoids affecting any other workflows that might exist. Concretely, in .github/workflows/autoupdate.yml, under autoupdate: and aligned with runs-on:, insert:
permissions:
contents: write
pull-requests: writeNo additional methods, imports, or definitions are needed; this is purely a YAML configuration change.
| @@ -9,6 +9,9 @@ | ||
| autoupdate: | ||
| name: autoupdate | ||
| runs-on: ubuntu-22.04 | ||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
| steps: | ||
| - uses: docker://chinthakagodawita/autoupdate-action:v1 | ||
| env: |
4 participants
This PR implements autoupdate. Whenever a push to main is made via a merge of a PR, the action runs. It takes the action's github token that is auto generated and uses that to access all PR's for the repository. It tries to update all the PRs in ready for review pipeline with the main code. If there are merge conflicts, it will skip those PRs. It tries to update the branch 2 times with 60 seconds between each attempt before moving on to the next PR without updating that branch. Once the PR updates the branch, the automated CI will kick in when the branch is updated and rerun the test suite