Conversation
This will allow us to run the workflow in PRs.
This way we can test if we break the build process from a PR.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Docker Build | ||
| uses: ./.github/workflows/docker-build.yaml | ||
| secrets: inherit | ||
| with: | ||
| push: false |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix this problem, we should introduce a permissions block that explicitly scopes the GITHUB_TOKEN permissions to the minimum needed for the job(s). Since we don't see any evidence from this code alone that write permissions or extra scopes are required, the best default is contents: read, which is commonly the safest minimum. You can add the permissions: key to the root (top-level) of the workflow so that it applies to all jobs unless overridden, or to the individual job(s); the simplest approach is at the top level, beneath name: and above on:. This change only involves inserting a few lines at the top of .github/workflows/pull-request.yaml.
| @@ -1,4 +1,6 @@ | ||
| name: Pull Request | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: |
|
This is a public repo and they don't have access to our runners. |
1 participant
ci: run docker builds from PRs
This way we can test if we break the build process from a PR.
ci: docker build is now done with a shared workflow
This will allow us to run the workflow in PRs.