Create vulnerable.yml #3
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Build and test | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v2 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} | ||
|
|
||
| - uses: actions/setup-node@v1 | ||
| - run: | | ||
| npm install | ||
| npm build | ||
| - uses: completely/fakeaction@v2 | ||
| with: | ||
| arg1: ${{ secrets.supersecret }} | ||
|
|
||
| - uses: fakerepo/comment-on-pr@v1 | ||
| with: | ||
| message: | | ||
| Thank you! |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To resolve the issue, we will add a permissions block at the root of the workflow, applying it to all jobs unless overridden. In this case, we will set the contents permission to read (allowing the workflow to read repository contents) and the pull-requests permission to write (required for commenting on pull requests). This ensures the workflow has the least privilege necessary to perform its tasks. We will add the permissions block after the on key to apply it globally.
| @@ -1,3 +1,6 @@ | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| on: pull_request_target | ||
|
|
||
| jobs: |
| - run: | | ||
| npm install | ||
| npm build | ||
| - uses: completely/fakeaction@v2 |
Check failure
Code scanning / CodeQL
Checkout of untrusted code in a privileged context Critical
No description provided.