Fix build pipeline and update JSON generation workflow#12
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if: ${{ github.ref == 'refs/heads/develop' }} | ||
|
|
||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Install Java | ||
| uses: actions/setup-java@v4 | ||
| with: | ||
| distribution: 'temurin' | ||
| java-version: '17' | ||
|
|
||
| - name: Run transformation pipeline | ||
| run: bash .github/scripts/run-pipeline.sh | ||
|
|
||
|
|
||
| - name: Upload combined artifact | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: bc-building-code-artifact | ||
| path: | | ||
| json-generation-pipeline/output/** | ||
| bc-graphics/** | ||
| graphics/** | ||
|
|
||
| - name: Trigger Repo B sync | ||
| if: success() | ||
| run: | | ||
| curl -X POST \ | ||
| -H "Authorization: Bearer ${{ secrets.REPO_B_TRIGGER_TOKEN }}" \ | ||
| -H "Accept: application/vnd.github+json" \ | ||
| https://api.github.com/repos/bcgov/HOUS-Interactive-BCBC/dispatches \ | ||
| -d "{\"event_type\":\"sync-from-repo-a\",\"client_payload\":{\"branch\":\"${GITHUB_REF_NAME}\"}}" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, fix this by adding a permissions block that restricts the GITHUB_TOKEN to the minimal required scopes. Because this workflow only needs to read the repository contents (for actions/checkout) and does not perform any GitHub write operations with GITHUB_TOKEN, we can safely set contents: read. Other steps that perform writes (the final curl call) already use a separate secret token, so they do not require additional GITHUB_TOKEN scopes.
The single best fix with no behavior change is to add a workflow-level permissions block right after the on: section in .github/workflows/generate-artifact.yml, applying to all jobs. This block should be:
permissions:
contents: readNo imports or additional methods are needed; this is purely a YAML configuration change inside the shown workflow file.
| @@ -3,6 +3,9 @@ | ||
| on: | ||
| workflow_dispatch: {} | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| build: | ||
| # Allow run only when the workflow is dispatched from a branch |
3 participants
No description provided.