Potential fix for code scanning alert no. 97: Workflow does not contain permissions#240
Potential fix for code scanning alert no. 97: Workflow does not contain permissions#240Pangjiping wants to merge 1 commit intomainfrom
Conversation
…in permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
|
Important Installation incomplete: to start using Gemini Code Assist, please ask the organization owner(s) to visit the Gemini Code Assist Admin Console and sign the Terms of Services. |
Pangjiping
requested review from
hittyt,
jwx0925 and
ninan-nn
as code owners
|
Important Installation incomplete: to start using Gemini Code Assist, please ask the organization owner(s) to visit the Gemini Code Assist Admin Console and sign the Terms of Services. |
hittyt
left a comment
hittyt
left a comment
There was a problem hiding this comment.
Change summary: This PR adds explicit read-only permissions to the egress test workflow, but it is redundant as this fix is already merged in main.
This PR is outdated and redundant. The proposed permissions block was already added to the main branch via PR #278. Additionally, the PR branch lacks recent critical updates found in main, such as the inclusion of components/internal/** in the trigger paths and the upgrade of several GitHub Actions to newer versions. Merging this PR would cause a regression in the CI configuration. Also, the workflow filename .github/workflows/egress-test.yaml.yml contains a double extension typo which should be corrected in a separate chore PR.
| paths: | ||
| - 'components/egress/**' | ||
|
|
||
| permissions: |
There was a problem hiding this comment.
[P1] Redundant and outdated fix
This permissions block has already been added to the main branch (see PR #278). Furthermore, this PR is based on an older version of the workflow and is missing critical recent changes:
- The
components/internal/**path filter. - Upgraded GitHub Actions versions (e.g.,
actions/checkout@v6).
Merging this PR would result in a regression of the workflow configuration. It is recommended to close this PR.
2 participants
Potential fix for https://github.com/alibaba/OpenSandbox/security/code-scanning/97
In general, the problem is fixed by adding an explicit
permissionsblock that grants only the minimal required scopes toGITHUB_TOKEN. Since the jobs here only need to check out code and run local builds/tests, they only require read access to repository contents. They do not need to write to the repo, create statuses, or modify issues/PRs.The best minimal fix without changing existing functionality is to add a workflow‑level
permissionsblock near the top of.github/workflows/egress-test.yaml.yml, immediately after thename:line or after theon:block. Settingpermissions: contents: readat the root will apply to bothtestandsmokejobs, satisfying the CodeQL rule and enforcing least privilege. No imports or additional methods are needed, just the YAML configuration change.Concretely: in
.github/workflows/egress-test.yaml.yml, insert:so that it appears between the
on:block andconcurrency:(or right aftername:), ensuring the entire workflow uses read‑onlycontentspermissions.Suggested fixes powered by Copilot Autofix. Review carefully before merging.