Skip to content

Potential fix for code scanning alert no. 28: Workflow does not contain permissions#552

Merged
daveshanley merged 1 commit intomainfrom
alert-autofix-28
Mar 29, 2026
Merged

Potential fix for code scanning alert no. 28: Workflow does not contain permissions#552
daveshanley merged 1 commit intomainfrom
alert-autofix-28

Conversation

@daveshanley
Copy link
Copy Markdown
Member

@daveshanley daveshanley commented Mar 29, 2026

Potential fix for https://github.com/pb33f/libopenapi/security/code-scanning/28

Generally, the fix is to explicitly declare a permissions block that grants only the scopes needed by the workflow. Since this workflow only checks out code and runs Go tests plus an external Codecov action (which uses its own secret token), it only needs read access to repository contents. The simplest, least-privilege fix is to set permissions: contents: read at the root of the workflow so it applies to both buildWindows and build jobs, without changing any job behavior.

Concretely, edit .github/workflows/build.yaml to insert a permissions: section near the top-level (e.g., after the on: block and before jobs:). Set contents: read as the only permission. No other changes, imports, or definitions are required, and no job-specific permissions blocks are necessary unless future steps need broader scopes.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@daveshanley @github-advanced-security
Potential fix for code scanning alert no. 28: Workflow does not conta…
6b8d4d8 
…in permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@daveshanley daveshanley marked this pull request as ready for review March 29, 2026 16:46
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 29, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.61%. Comparing base (83b5e4f) to head (6b8d4d8).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #552   +/-   ##
=======================================
  Coverage   99.61%   99.61%           
=======================================
  Files         236      236           
  Lines       28037    28037           
=======================================
  Hits        27930    27930           
  Misses         65       65           
  Partials       42       42
Flag Coverage Δ
unittests 99.61% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@daveshanley daveshanley merged commit 96cbefc into main Mar 29, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@daveshanley