Skip to content

Potential fix for code scanning alert no. 5: Workflow does not contain permissions #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 28, 2025
Merged

Potential fix for code scanning alert no. 5: Workflow does not contain permissions #30

merged 1 commit into from
Nov 28, 2025

Conversation

@bnbong
Copy link
Owner

@bnbong bnbong commented Nov 28, 2025

Potential fix for https://github.com/bnbong/FastAPI-fastkit/security/code-scanning/5

The optimal fix is to add the permissions key to the workflow file, specifying the principle of least privilege. For most CI workflows, contents: read is sufficient unless writing to the repository or managing issues/pull-requests. In this case, since the steps involve checking out code, running tests, and uploading coverage information (to Codecov, an external service, not GitHub), contents: read is likely sufficient. If in the future you need to interact with issues, pull requests, or other resources, you can extend with those granular permissions. The change should be applied at the root level of the workflow for clarity and maintainability. The edit is to insert the following lines after name: Test and Coverage in .github/workflows/test.yml:

permissions:
  contents: read

No additional methods or imports are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@bnbong @github-advanced-security
Potential fix for code scanning alert no. 5: Workflow does not contai…
e6ef751 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-actions github-actions bot added the template Add or editing a FastAPI template label Nov 28, 2025
@bnbong bnbong requested a review from Copilot November 28, 2025 07:25
Copilot finished reviewing on behalf of bnbong November 28, 2025 07:26
@bnbong bnbong added chore Improvements or additions to non-code features automated and removed template Add or editing a FastAPI template labels Nov 28, 2025
@bnbong bnbong marked this pull request as ready for review November 28, 2025 07:29
@bnbong bnbong merged commit 4caff8b into main Nov 28, 2025
19 checks passed
@codecov
Copy link

codecov bot commented Nov 28, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot

Assignees

No one assigned

Labels

automated chore Improvements or additions to non-code features

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bnbong