Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v3 | ||
| - name: Release | ||
| uses: softprops/action-gh-release@v1 |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 19 days ago
In general, to fix this class of problem you add an explicit permissions block either at the top level of the workflow (applies to all jobs) or within the individual job (applies to that job only). The block should grant only the specific scopes required. For a release workflow using softprops/action-gh-release, the main required permission is contents: write so the action can create/update GitHub releases and upload assets. Other scopes (issues, pull-requests, etc.) are not needed here and should remain at their implicit none unless explicitly required.
For this specific file .github/workflows/gh-release.yml, the least intrusive and clearest fix is to add a permissions block to the build job (right under runs-on: ubuntu-latest) specifying contents: write. This avoids changing behavior for any other jobs that might exist elsewhere in the file (we are only shown this one job) and documents the exact permission required for this job. No imports or additional definitions are required; this is purely a YAML configuration change.
Concretely:
- Edit the
buildjob in.github/workflows/gh-release.yml. - Insert the following block after line 10 (
runs-on: ubuntu-latest):
permissions:
contents: writeThis gives the GITHUB_TOKEN only the content write permission needed to create releases, while staying within the principle of least privilege.
| @@ -8,6 +8,8 @@ | ||
| jobs: | ||
| build: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v3 |
1 participant
No description provided.