Finalising the new scp process #302
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| # compile-spe: | ||
| # name: Build for PowerPC SPE cpus | ||
| # uses: ./.github/workflows/_compile.yml | ||
| # with: | ||
| # git_tag: ${{ github.event.release.tag_name }} | ||
| # gcc: 6 | ||
| # spe: "yes" | ||
| compile-spe: | ||
| name: Build for PowerPC SPE cpus | ||
| uses: ./.github/workflows/_compile.yml | ||
| with: | ||
| git_tag: ${{ github.event.release.tag_name }} | ||
| gcc: 6 | ||
| spe: "yes" | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the problem, add an explicit permissions block to the workflow file. This can be done at the top level (applies to all jobs) or at the job level (for more granular control). The minimal starting point is to set permissions: {} at the workflow level, which disables all default permissions for the GITHUB_TOKEN. If any jobs require specific permissions (e.g., to read repository contents or create releases), those can be added as needed. In this case, since the jobs appear to only build and send notifications, the minimal block is likely sufficient. The change should be made at the top of the file, after the name and before on.
| @@ -1,3 +1,4 @@ | ||
| permissions: {} | ||
| name: Make a new release | ||
|
|
||
| on: |
|
|
||
| # announcements: | ||
| # needs: [compile-ppc, compile-spe] | ||
| # name: Notify on Discord on successful release | ||
| # runs-on: ubuntu-latest | ||
| # steps: | ||
| # - name: Notify on Discord on successful release | ||
| # uses: hunghg255/action-notifications@master | ||
| # with: | ||
| # discord_webhook: https://discord.com/api/webhooks/${{ secrets.DISCORD_ANNOUNCEMENTS_ID }}/${{ secrets.DISCORD_ANNOUNCEMENTS_TOKEN }} | ||
| # title: "clib4 ${{ github.event.release.tag_name }} released" | ||
| # description: "Check it out at: ${{ github.event.release.html_url }}" | ||
| announcements: | ||
| needs: [compile-ppc, compile-spe] | ||
| name: Notify on Discord on successful release | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Notify on Discord on successful release | ||
| uses: hunghg255/action-notifications@master | ||
| with: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the problem, you should add a permissions block to the workflow file .github/workflows/makeRelease.yml. This block can be added at the top level (applies to all jobs) or at the job level (applies to individual jobs). The best way is to add it at the top level, just below the name and before the on block, to ensure all jobs inherit the least privilege unless overridden. For a release workflow that builds artifacts and sends notifications, the minimal permissions required are typically contents: read (to read repository contents) and possibly pull-requests: write if you create or update pull requests, but in this case, only reading contents is likely needed. If any job requires more permissions, you can override at the job level. For now, add:
permissions:
contents: readjust after the name: line.
| @@ -1,3 +1,5 @@ | ||
| permissions: | ||
| contents: read | ||
| name: Make a new release | ||
|
|
||
| on: |
1 participant
No description provided.