Conversation
vjik
commented
Sep 21, 2025
vjik
commented
| Q | A |
|---|---|
| Is bugfix? | ❌ |
| New feature? | ❌ |
| Breaks BC? | ❌ |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #44 +/- ##
============================================
+ Coverage 91.95% 95.40% +3.44%
Complexity 34 34
============================================
Files 3 3
Lines 87 87
============================================
+ Hits 80 83 +3
+ Misses 7 4 -3 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| uses: yiisoft/actions/.github/workflows/bc.yml@master | ||
| with: | ||
| os: >- | ||
| ['ubuntu-latest'] | ||
| php: >- | ||
| ['8.4'] |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix the problem, you should add a permissions block that explicitly limits the permissions available to the workflow. The best approach is to add this block at the workflow (top) level unless you know the job requires more elevated permissions than read-only. Since the job appears to merely check backward compatibility via a reusable workflow and likely does not need to write to the repository or create/update pull requests, a minimal contents: read permission is the least privileged and safest starting point. You should insert the following block near the top of the file, immediately after the name: property (line 25), so it applies to all jobs in the workflow:
permissions:
contents: readNo additional methods, definitions, or library installations are necessary—just this single insertion.
| @@ -22,6 +22,8 @@ | ||
| - 'psalm.xml' | ||
|
|
||
| name: backwards compatibility | ||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| roave_bc_check: |
3 participants
