Skip to content

Potential fix for code scanning alert no. 4: Workflow does not contain permissions#2322

Merged
andyleejordan merged 1 commit into
mainfrom
alert-autofix-4
Jun 22, 2026
Merged

Potential fix for code scanning alert no. 4: Workflow does not contain permissions#2322
andyleejordan merged 1 commit into
mainfrom
alert-autofix-4

Conversation

@andyleejordan

Copy link
Copy Markdown
Member

Potential fix for https://github.com/PowerShell/PowerShellEditorServices/security/code-scanning/4

Add an explicit permissions block to .github/workflows/ci-test.yml at the workflow root (after on: and before jobs:) so it applies to all jobs unless overridden. For this workflow, the minimal safe baseline is:

  • contents: read (needed for checkout)
  • actions: read (safe explicit read for Actions metadata)

This preserves behavior while ensuring the token is constrained and documented. No imports/methods/dependencies are needed since this is YAML configuration only.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@andyleejordan
andyleejordan marked this pull request as ready for review June 18, 2026 21:07
@andyleejordan
andyleejordan requested a review from a team as a code owner June 18, 2026 21:07
Copilot AI review requested due to automatic review settings June 18, 2026 21:07
@andyleejordan
andyleejordan enabled auto-merge (squash) June 18, 2026 21:07

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses code scanning alert #4 ("Workflow does not contain permissions") by adding an explicit least-privilege permissions block to .github/workflows/ci-test.yml. Previously the workflow relied on the default GITHUB_TOKEN permission set; this change constrains the token to read-only scopes, which is a standard GitHub Actions security hardening practice.

Changes:

  • Add a workflow-root permissions block granting contents: read (for checkout) and actions: read.
  • Scope applies to all jobs since it's defined at the workflow root, with no behavioral change to the existing CI job.

…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@andyleejordan andyleejordan added the Ignore Exclude from the changelog. label Jun 22, 2026
@andyleejordan
andyleejordan disabled auto-merge June 22, 2026 19:12
@andyleejordan
andyleejordan merged commit 339b581 into main Jun 22, 2026
9 of 10 checks passed
@andyleejordan
andyleejordan deleted the alert-autofix-4 branch June 22, 2026 19:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Ignore Exclude from the changelog.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants