Potential fix for code scanning alert no. 901: Workflow does not contain permissions#584
Potential fix for code scanning alert no. 901: Workflow does not contain permissions#584aurelianware wants to merge 2 commits intomainfrom
Conversation
…ain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Aurelianware <markus@aurelianware.com>
|
@copilot can you fix the lint check that’s failing |
Agent-Logs-Url: https://github.com/aurelianware/cloudhealthoffice/sessions/d7b79b51-cd94-4cfc-aecc-4bce99471aac Co-authored-by: aurelianware <194855645+aurelianware@users.noreply.github.com>
Fixed in commit |
There was a problem hiding this comment.
Pull request overview
Adds an explicit permissions block to the Azure Static Web Apps CI/CD workflow to address code scanning alert #901 by restricting default GITHUB_TOKEN privileges.
Changes:
- Add workflow-level
permissionswithcontents: readto limitGITHUB_TOKENscope.
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
The new workflow-level permissions restricts GITHUB_TOKEN to contents: read, but this workflow passes secrets.GITHUB_TOKEN as repo_token to Azure/static-web-apps-deploy@v1 (notably for PR integrations/PR comments). With only contents: read, the action will no longer be able to create/update PR comments or other PR metadata, changing existing behavior. Consider adding the minimal additional scopes required (typically pull-requests: write, and scope it per-job if you want close_pull_request_job to remain read-only).
Potential fix for https://github.com/aurelianware/cloudhealthoffice/security/code-scanning/901
In general, the fix is to explicitly set a
permissions:block to restrict the defaultGITHUB_TOKENscope to the least privileges required. This block can be set at the top level of the workflow (applies to all jobs) or per-job. Since both jobs in this workflow are simple deploy/close actions and there is no evidence of needing broad write access, the safest change is to add a top-levelpermissions:block with read-only repository contents (and no other scopes) unless the action explicitly requires additional scopes.The single best change here, without altering existing functionality, is to add a workflow-level
permissions:section just below theon:block. As a minimal, conservative configuration, we can setcontents: read, which matches the CodeQL suggestion and is typically sufficient for actions that only need to read repo content and post PR comments viarepo_token. The rest of the workflow remains unchanged. No extra imports or methods are needed because this is purely configuration in the YAML workflow file.Concretely:
.github/workflows/azure-static-web-apps-agreeable-meadow-0da15b31e.yml.on:section (after line 10/11), insert:This ensures both
build_and_deploy_jobandclose_pull_request_jobinherit the restricted permissions unless they later define their ownpermissionsblock.Suggested fixes powered by Copilot Autofix. Review carefully before merging.