Copilot Autofix

AI 4 months ago

To fix this problem, we should introduce a permissions block that explicitly scopes the GITHUB_TOKEN permissions to the minimum needed for the job(s). Since we don't see any evidence from this code alone that write permissions or extra scopes are required, the best default is contents: read, which is commonly the safest minimum. You can add the permissions: key to the root (top-level) of the workflow so that it applies to all jobs unless overridden, or to the individual job(s); the simplest approach is at the top level, beneath name: and above on:. This change only involves inserting a few lines at the top of .github/workflows/pull-request.yaml.

Suggested changeset 1

.github/workflows/pull-request.yaml

@@ -1,4 +1,6 @@
             name: Pull Request
+            permissions:
+              contents: read
             on:
               pull_request:

Copilot is powered by AI and may make mistakes. Always verify output.

ci: run docker builds from PRs #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

potyl wants to merge 2 commits into main from emo/ci-pr-docker-build

.github/workflows/docker-build.yaml

-Original file line number
+Diff line change
@@ -0,0 +1,31 @@
+    name: Build docker image
+    on:
+      workflow_call:
+        inputs:
+          push:
+            description: Indicates if the docker image has to be pushed
+            type: boolean
+            default: false
+        outputs:
+          image-tag:
+            description: Image tag used
+            value: ${{ github.event.pull_request.head.sha || github.sha }}
+    defaults:
+      run:
+        shell: bash
+    jobs:
+      build:
+        name: Docker Build 🐋
+        runs-on: x1-core
+        permissions:
+          id-token: write
+          contents: read
+          packages: write
+        steps:
+          - name: Docker build
+            uses: cloudbeds/composite-actions/docker/build-push/remote@v2
+            with:
+              push: ${{ inputs.push }}

.github/workflows/merge-main.yaml

-Original file line number
+Diff line change
@@ Expand Up / @@ -10,13 +10,7 @@ on: @@
     jobs:
       build-push:
         name: Build and push application image
-        runs-on: x1-core
-        permissions:
-          id-token: write
-          contents: read
-        steps:
-          - name: Build and push application image
-            uses: cloudbeds/composite-actions/docker/build-push/remote@v2
-            with:
-              push: true
+        uses: ./.github/workflows/docker-build.yaml
+        secrets: inherit
+        with:
+          push: true

-Original file line number
+Diff line change
@@ -0,0 +1,21 @@
+    name: Pull Request
+    on:
+      pull_request:
+    # Cancel existing workflows running for this PR
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+      cancel-in-progress: true
+    defaults:
+      run:
+        shell: bash
+    jobs:
+      docker-build:
+        name: Docker Build
+        uses: ./.github/workflows/docker-build.yaml
+        secrets: inherit
+        with:
+          push: false
@@ -1,4 +1,6 @@
             name: Pull Request
+            permissions:
+              contents: read
             on:
               pull_request:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: run docker builds from PRs #8

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Check warning

Copilot Autofix

Uh oh!