CLI Standardization #7
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| uses: ./.github/workflows/npm-release-ops.yml | ||
| with: | ||
| registry_url: https://registry.npmjs.org/ | ||
| build_command: "" # CLI doesn't need build | ||
| test_command: "npm test" | ||
| working_directory: "cli" | ||
| environment: "Master" | ||
| secrets: | ||
| npm_token: ${{ secrets.npm_token }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 days ago
To fix the problem, explicitly set permissions in this workflow, so the GITHUB_TOKEN used by the release job (and any called workflows) is constrained to the least privileges needed. Since this workflow’s job only delegates to npm-release-ops.yml and uses an npm token secret for publishing, a conservative default is to set contents: read at the workflow level. If the called workflow requires additional scopes (for example, to create releases or tags), those should be added there, but with only the snippet given we should not assume extra requirements.
The single best change, without altering existing functionality, is to add a root-level permissions block (aligned with on: and jobs:) specifying contents: read. This establishes a minimal default for all jobs in this workflow, including release, while still allowing the called workflow to further reduce permissions if it wants. We do not change any other lines or behavior.
Concretely, in .github/workflows/_release-cli.yml, after the on: block and before jobs:, insert:
permissions:
contents: readNo additional methods, imports, or definitions are required since this is purely a YAML configuration change for GitHub Actions.
| @@ -7,6 +7,9 @@ | ||
| - '.github/workflows/_release-cli.yml' | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| release: | ||
| uses: ./.github/workflows/npm-release-ops.yml |
| runs-on: ubuntu-latest | ||
| outputs: | ||
| current_branch: ${{ steps.branches.outputs.branch_name }} | ||
| is_release_branch: ${{ steps.branches.outputs.is_release_branch }} | ||
| release_version: ${{ steps.package_version.outputs.version }} | ||
| package_name: ${{ steps.package_version.outputs.name }} | ||
| has_slack_webhook: ${{ steps.check_slack.outputs.has_webhook }} | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Get Package Info | ||
| id: package_version | ||
| run: | | ||
| VERSION=$(node -p "require('./package.json').version") | ||
| NAME=$(node -p "require('./package.json').name") | ||
| echo "version=$VERSION" >> $GITHUB_OUTPUT | ||
| echo "name=$NAME" >> $GITHUB_OUTPUT | ||
| echo "📦 Package: $NAME@$VERSION" | ||
| working-directory: ${{ inputs.working_directory }} | ||
|
|
||
| - name: Determine Branch Information | ||
| id: branches | ||
| run: | | ||
| BRANCH_NAME=${GITHUB_REF#refs/heads/} | ||
| echo "branch_name=${BRANCH_NAME}" >> $GITHUB_OUTPUT | ||
|
|
||
| IS_RELEASE_BRANCH=$([[ "${BRANCH_NAME}" == "${{ inputs.release_branch }}" ]] && echo "true" || echo "false") | ||
| echo "is_release_branch=${IS_RELEASE_BRANCH}" >> $GITHUB_OUTPUT | ||
| echo "📌 Branch: ${BRANCH_NAME} (Release: ${IS_RELEASE_BRANCH})" | ||
|
|
||
| - name: Check Slack Webhook | ||
| id: check_slack | ||
| run: | | ||
| if [ -n "${{ secrets.slack_webhook_url }}" ]; then | ||
| echo "has_webhook=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "has_webhook=false" >> $GITHUB_OUTPUT | ||
| fi | ||
|
|
||
| test: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 days ago
To fix the problem, add an explicit permissions block at the top level of the workflow so that all jobs without their own permissions (here: config and test) run with least-privilege GITHUB_TOKEN access. The release job already has its own permissions block, which will override the top-level one, so we leave it unchanged.
The best minimal, non‑functional change is:
- Add
permissions: contents: readnear the top of.github/workflows/npm-release-ops.yml, alongsidenameandon. - This will ensure that
configandtestcan still check out code (checkout requirescontents: read) but won’t have unnecessary write permissions. - No imports, additional methods, or other file changes are required.
Concretely, insert:
permissions:
contents: readafter the name: NPM Release line (or anywhere at the root level before jobs:).
| @@ -1,5 +1,8 @@ | ||
| name: NPM Release | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_call: | ||
| inputs: |
| needs: config | ||
| runs-on: ubuntu-latest | ||
| if: inputs.test_command != '' | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: ${{ inputs.node_version }} | ||
| cache: 'npm' | ||
| cache-dependency-path: ${{ inputs.working_directory }}/package-lock.json | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
| working-directory: ${{ inputs.working_directory }} | ||
|
|
||
| - name: Run Tests | ||
| run: ${{ inputs.test_command }} | ||
| working-directory: ${{ inputs.working_directory }} | ||
|
|
||
| release: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 days ago
In general, the fix is to explicitly declare permissions for the workflow or for each job, granting only what is required. Here, the release job already has a tailored permissions block (contents: write, id-token: write). The config and test jobs only read repository contents and use secrets; they do not push changes or modify GitHub resources. So we should add a restrictive permissions block to those jobs (or at the workflow root) that limits GITHUB_TOKEN to read-only. To avoid altering existing behavior for the release job, we will set permissions: contents: read at the workflow root, so it applies to all jobs by default, while the existing release job permissions block will override this as needed.
Concretely, in .github/workflows/npm-release-ops.yml, insert a top-level permissions: block right after the name: NPM Release line. This block will specify contents: read, which is the minimal permission required for actions/checkout and reading the repository during config and test. We do not need to modify the release job’s permissions because job-level permissions override the workflow-level defaults. No additional imports or external libraries are needed since this is a YAML configuration change only.
| @@ -1,4 +1,6 @@ | ||
| name: NPM Release | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_call: |
|
|
||
| - name: Create GitHub Release | ||
| if: inputs.enable_gh_release == true | ||
| uses: softprops/action-gh-release@v2 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| - name: Notify Slack | ||
| if: always() && needs.config.outputs.has_slack_webhook == 'true' | ||
| uses: slackapi/slack-github-action@v1.26.0 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
No description provided.