Conversation
vjik
commented
Sep 23, 2025
vjik
commented
| Q | A |
|---|---|
| Is bugfix? | ❌ |
| New feature? | ❌ |
| Breaks BC? | ❌ |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #47 +/- ##
============================================
- Coverage 95.40% 95.23% -0.17%
Complexity 34 34
============================================
Files 3 3
Lines 87 84 -3
============================================
- Hits 83 80 -3
Misses 4 4 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| uses: yiisoft/actions/.github/workflows/rector.yml@master | ||
| secrets: | ||
| token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} | ||
| with: | ||
| repository: ${{ github.event.pull_request.head.repo.full_name }} | ||
| os: >- | ||
| ['ubuntu-latest'] | ||
| php: >- | ||
| ['8.4'] |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix this problem, the workflow should explicitly set the permissions block at the workflow or job level, specifying the minimum required access for the workflow to function. In the most secure configuration, set permissions: contents: read at the root, or within the specific job if different jobs have different needs. Because this workflow largely delegates to an external reusable workflow (via uses), the safest generic policy is to provide only read access unless a more specific write access is proven necessary for this action to work. The recommended best practice is to add a permissions block at the job level (right under the rector job—next to uses and with). By doing so, we minimize the token’s permissions for this job only, and can later expand them if downstream linter/rector steps require it.
To implement the fix:
- Insert the following block directly after the job name (
rector:) or beforeuses:permissions: contents: read
- If future requirements necessitate additional permissions (e.g.,
pull-requests: write), they can be added as new lines underpermissions.
| @@ -13,6 +13,8 @@ | ||
|
|
||
| jobs: | ||
| rector: | ||
| permissions: | ||
| contents: read | ||
| uses: yiisoft/actions/.github/workflows/rector.yml@master | ||
| secrets: | ||
| token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} |
3 participants
