-
Notifications
You must be signed in to change notification settings - Fork 5
Migrate to reusable workflows #19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| name: CodeQL | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| push: | ||
| branches: | ||
| - main | ||
| - master | ||
| - develop | ||
| pull_request: | ||
|
|
||
| jobs: | ||
| analyse: | ||
| name: Call Ledger CodeQL analysis | ||
| uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_codeql_checks.yml@v1 | ||
| secrets: inherit | ||
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,16 @@ | ||||||||||||||||||||||||||
| name: Unit Tests | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| on: | ||||||||||||||||||||||||||
| workflow_dispatch: | ||||||||||||||||||||||||||
| push: | ||||||||||||||||||||||||||
| branches: | ||||||||||||||||||||||||||
| - main | ||||||||||||||||||||||||||
| - master | ||||||||||||||||||||||||||
| - develop | ||||||||||||||||||||||||||
| pull_request: | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| jobs: | ||||||||||||||||||||||||||
| unit_tests: | ||||||||||||||||||||||||||
| name: Unit Tests | ||||||||||||||||||||||||||
| uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_unit_tests.yml@v1 | ||||||||||||||||||||||||||
| secrets: inherit | ||||||||||||||||||||||||||
|
Comment on lines
+14
to
+16
Check warningCode scanning / CodeQL Workflow does not contain permissions Medium
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
Copilot AutofixAI 3 months ago In general, the problem is fixed by explicitly specifying For this specific workflow, which only delegates to a reusable workflow and does not itself perform write operations, the safest non-breaking fix is to add a permissions:
contents: readThis should be placed under Concretely, in
Suggested changeset
1
.github/workflows/unit-tests.yml
Copilot is powered by AI and may make mistakes. Always verify output.
Refresh and try again.
|
||||||||||||||||||||||||||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Copilot Autofix
AI 3 months ago
In general, the fix is to add an explicit
permissions:block that grants only the minimal required scopes for the GITHUB_TOKEN, either at the workflow root (applies to all jobs) or under the specific job. Since this workflow only forwards to a reusable workflow and there is no indication it needs write access, we can safely start with a read-only configuration (e.g.,contents: read), which aligns with GitHub’s recommended baseline.The most direct fix without altering existing behavior is to add a
permissions:section at the top workflow level, just after theon:block and beforejobs:. This will apply to theanalysejob unless that job or the called reusable workflow overrides permissions. We’ll setpermissions: contents: read, which is the standard “read-only” baseline and is very unlikely to break a CodeQL analysis workflow, as it primarily needs to read repository contents. No imports or additional methods are needed; it’s a pure YAML configuration change within.github/workflows/codeql.yml.Concretely, in
.github/workflows/codeql.yml, after line 10 (pull_request:) and before line 12 (jobs:), insert:This documents and constrains the token permissions for the workflow.