Skip to content

fix: missing permissions for workflow #4474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: dev
Choose a base branch
from
Open

fix: missing permissions for workflow #4474

wants to merge 3 commits into from

Conversation

@manuel-rw
Copy link
Member

@manuel-rw manuel-rw commented Nov 14, 2025

Potential fix for https://github.com/homarr-labs/homarr/security/code-scanning/26

To resolve the flagged issue, add a permissions block with the minimum privileges required for this workflow. Since all write actions (committing, creating PR, merging) are handled with a custom GitHub App token, the default GITHUB_TOKEN only needs minimal (read-only) access, if any. Add permissions: { contents: read } to the job (update-contributors), or at the root of the workflow (before jobs:). Adding it at the top will apply to all jobs (in this case, there is only one job).
Implementation:
Edit .github/workflows/update-contributors.yml and, above the jobs: key, insert:

permissions:
  contents: read

No imports or other method changes are needed; this is a straightforward YAML addition.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

manuel-rw and others added 2 commits November 14, 2025 15:24
@manuel-rw @github-advanced-security
fix: missing permissions for workflow
6269948 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@manuel-rw @github-advanced-security
fix: missing permissions for workflow
1416a8d 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@deepsource-io
Copy link
Contributor

deepsource-io bot commented Nov 14, 2025
edited
Loading

Here's the code health analysis summary for commits d33cfe2..53fbdfb. View details on DeepSource ↗.

Analysis Summary

AnalyzerStatusSummaryLink
DeepSource JavaScript LogoJavaScript✅ SuccessView Check ↗
💡 If you’re a repository administrator, you can configure the quality gates from the settings.

@manuel-rw manuel-rw changed the title Potential fix for code scanning alert no. 26: Workflow does not contain permissions fix: missing permissions for workflow Nov 14, 2025
@manuel-rw manuel-rw self-assigned this Nov 14, 2025
@manuel-rw manuel-rw marked this pull request as ready for review November 14, 2025 14:35
@manuel-rw manuel-rw requested a review from a team as a code owner November 14, 2025 14:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@manuel-rw manuel-rw

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@manuel-rw