Potential fix for code scanning alert no. 901: Workflow does not contain permissions#584
Potential fix for code scanning alert no. 901: Workflow does not contain permissions#584aurelianware merged 4 commits intomainfrom
Conversation
…ain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Aurelianware <markus@aurelianware.com>
|
@copilot can you fix the lint check that’s failing |
Agent-Logs-Url: https://github.com/aurelianware/cloudhealthoffice/sessions/d7b79b51-cd94-4cfc-aecc-4bce99471aac Co-authored-by: aurelianware <194855645+aurelianware@users.noreply.github.com>
Fixed in commit |
There was a problem hiding this comment.
Pull request overview
Adds an explicit permissions block to the Azure Static Web Apps CI/CD workflow to address code scanning alert #901 by restricting default GITHUB_TOKEN privileges.
Changes:
- Add workflow-level
permissionswithcontents: readto limitGITHUB_TOKENscope.
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
The new workflow-level permissions restricts GITHUB_TOKEN to contents: read, but this workflow passes secrets.GITHUB_TOKEN as repo_token to Azure/static-web-apps-deploy@v1 (notably for PR integrations/PR comments). With only contents: read, the action will no longer be able to create/update PR comments or other PR metadata, changing existing behavior. Consider adding the minimal additional scopes required (typically pull-requests: write, and scope it per-job if you want close_pull_request_job to remain read-only).
Signed-off-by: Aurelianware <markus@aurelianware.com>
|
@copilot apply changes based on the comments in this thread |
…oy_job Agent-Logs-Url: https://github.com/aurelianware/cloudhealthoffice/sessions/5d8cf151-26b1-4027-92f0-bb3a0472014b Co-authored-by: aurelianware <194855645+aurelianware@users.noreply.github.com>
Done in commit |
Potential fix for https://github.com/aurelianware/cloudhealthoffice/security/code-scanning/901
The fix explicitly sets
permissions:blocks per-job to restrict the defaultGITHUB_TOKENscope to the least privileges required for each job, preserving existing functionality.Concretely, in
.github/workflows/azure-static-web-apps-agreeable-meadow-0da15b31e.yml:build_and_deploy_jobreceives:The
pull-requests: writescope is required forAzure/static-web-apps-deploy@v1to post and update PR comments viarepo_token.close_pull_request_jobreceives:This job only closes the staging environment and does not require PR write access.
Scoping permissions per-job (rather than at the workflow level) ensures each job holds only the minimum privileges it actually needs.
Suggested fixes powered by Copilot Autofix. Review carefully before merging.