Skip to content

Potential fix for code scanning alert no. 39: Workflow does not contain permissions#132

Draft
pinkycollie wants to merge 6 commits into
mainfrom
alert-autofix-39
Draft

Potential fix for code scanning alert no. 39: Workflow does not contain permissions#132
pinkycollie wants to merge 6 commits into
mainfrom
alert-autofix-39

Conversation

@pinkycollie

Copy link
Copy Markdown
Owner

Potential fix for https://github.com/pinkycollie/deaf-first-platform/security/code-scanning/39

Add an explicit top-level permissions block in .github/workflows/Security-hardening.yml so all jobs inherit least-privilege token access unless overridden.

Best single fix (without changing current functionality): define workflow-level read-only permissions:

  • contents: read

This is sufficient for current shown steps (checkout, setup-node, npm/grep shell checks) and matches CodeQL’s minimal recommended baseline. Place it after the on: section (or near top-level keys) and before jobs: so it applies globally across all jobs, including those omitted in the snippet.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

pinkycollie and others added 6 commits May 26, 2026 19:21
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
…in permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
@changeset-bot

changeset-bot Bot commented Jun 4, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: d6ae342

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant