Skip to content

Potential fix for code scanning alert no. 22: Workflow does not contain permissions#133

Draft
pinkycollie wants to merge 8 commits into
mainfrom
alert-autofix-22
Draft

Potential fix for code scanning alert no. 22: Workflow does not contain permissions#133
pinkycollie wants to merge 8 commits into
mainfrom
alert-autofix-22

Conversation

@pinkycollie

Copy link
Copy Markdown
Owner

Potential fix for https://github.com/pinkycollie/deaf-first-platform/security/code-scanning/22

Add an explicit permissions block at the workflow root in .github/workflows/api-tests.yml (right after on: section, before jobs:), so all jobs inherit least-privilege defaults.
For this workflow, the best single safe baseline is:

  • contents: read (needed for actions/checkout)
  • optionally actions: read is usually unnecessary, so omit unless required
  • avoid broad write scopes unless a specific step needs them

This preserves current behavior while making token privileges explicit and stable across repositories/org defaults. If later a job needs write access (e.g., commenting on PRs), add a job-level permissions override only for that job.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

pinkycollie and others added 8 commits May 26, 2026 19:21
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Update API documentation workflow to change title.

Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
…in permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
@changeset-bot

changeset-bot Bot commented Jun 4, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: ec1f0e0

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@snyk-io

snyk-io Bot commented Jun 4, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
🔚 Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant