Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Trigger dune revenue upload | ||
| run: | | ||
| gh api repos/${{ secrets.DUNE_UPLOAD_REPO }}/dispatches \ | ||
| -f event_type=recon-updated | ||
| env: | ||
| GH_TOKEN: ${{ secrets.DUNE_UPLOAD_TOKEN }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 days ago
In general, the fix is to add an explicit permissions block to the workflow or to individual jobs, restricting the GITHUB_TOKEN to the minimum required scopes. This prevents the job from inheriting broad default permissions and documents the intended access level.
For this specific workflow, the dispatch job only invokes gh api using a separate GH_TOKEN from secrets.DUNE_UPLOAD_TOKEN and does not reference GITHUB_TOKEN. The minimal, non-breaking change is to add a job-level permissions block under jobs.dispatch that limits GITHUB_TOKEN to read-only repository contents. A safe common baseline is:
permissions:
contents: readThis should be inserted directly under jobs.dispatch: (around current line 12) and indented to align with runs-on:. No additional imports or methods are needed, since this is purely a workflow configuration change.
| @@ -9,6 +9,8 @@ | ||
|
|
||
| jobs: | ||
| dispatch: | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: |
Xeonus
left a comment
Xeonus
left a comment
There was a problem hiding this comment.
Worth adding read perms to action?
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Trigger dune revenue upload | ||
| run: | | ||
| gh api repos/${{ secrets.DUNE_UPLOAD_REPO }}/dispatches \ | ||
| -f event_type=recon-updated | ||
| env: | ||
| GH_TOKEN: ${{ secrets.DUNE_UPLOAD_TOKEN }} |
2 participants
No description provided.