Skip to content

Potential fix for code scanning alert no. 2: Workflow does not contain permissions #85

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
robertodauria merged 1 commit into from
Jan 13, 2026
Merged

Potential fix for code scanning alert no. 2: Workflow does not contain permissions #85

robertodauria merged 1 commit into from
Jan 13, 2026

Conversation

@robertodauria
Copy link
Contributor

@robertodauria robertodauria commented Jan 13, 2026
edited
Loading

Potential fix for https://github.com/m-lab/autojoin/security/code-scanning/2

To fix the problem, we must explicitly set permissions for the workflow or individual jobs, restricting the GITHUB_TOKEN to the minimal scopes required. This workflow checks out code, runs go test, and sends coverage via shogo82148/actions-goveralls@v1. These operations only require read access to repository contents; they do not create or modify issues, PRs, or repository data. Therefore, setting permissions: contents: read at the workflow (top) level is an appropriate least‑privilege configuration and will apply to both coverage and finish jobs.

The best fix without changing functionality is to add a root-level permissions block directly under the name: coverage line in .github/workflows/coverage.yml. This will ensure that, unless a job overrides permissions, both jobs run with contents: read and no write scopes. No other code, steps, or actions need modification, and no imports or additional methods are involved, as this is a pure YAML configuration change.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

This change is Reviewable

@robertodauria @github-advanced-security
fix: explicitly set permissions to "read"
f7478fa 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@coveralls
Copy link
Collaborator

coveralls commented Jan 13, 2026

Pull Request Test Coverage Report for Build 20940884726

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 70.186%
Totals Coverage Status
Change from base Build 20938702918: 0.0%
Covered Lines: 1323
Relevant Lines: 1885
💛 - Coveralls

@robertodauria robertodauria marked this pull request as ready for review January 13, 2026 01:14
bassosimone
bassosimone approved these changes Jan 13, 2026
View reviewed changes
Copy link
Collaborator

@bassosimone bassosimone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Surprising that the default is write, BTW 😅

@robertodauria robertodauria merged commit 7fedf43 into main Jan 13, 2026
6 checks passed
@robertodauria robertodauria deleted the fix/autofix-workflow-permissions branch January 13, 2026 17:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bassosimone bassosimone bassosimone approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@robertodauria @coveralls @bassosimone