Skip to content

Potential fix for code scanning alert no. 4: Workflow does not contain permissions#157

Merged
duanemay merged 1 commit into
mainfrom
alert-autofix-4
Jul 9, 2026
Merged

Potential fix for code scanning alert no. 4: Workflow does not contain permissions#157
duanemay merged 1 commit into
mainfrom
alert-autofix-4

Conversation

@strehle

@strehle strehle commented Jul 9, 2026

Copy link
Copy Markdown
Member

Potential fix for https://github.com/cloudfoundry/cf-uaac/security/code-scanning/4

Add an explicit permissions block to the workflow so all jobs default to least privilege.
Best fix here: define at workflow root (right after on: block, before jobs:) with:

  • contents: read

This preserves existing behavior (checkout + test execution) while documenting and enforcing token scope regardless of repo/org defaults or future workflow reuse.

File to edit:

  • .github/workflows/ruby.yml
    Region: between the trigger section (on: ...) and jobs:.

No imports, methods, or dependencies are needed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-project-automation github-project-automation Bot moved this from Inbox to Pending Merge | Prioritized in Foundational Infrastructure Working Group Jul 9, 2026
@duanemay duanemay merged commit e1f11bd into main Jul 9, 2026
8 checks passed
@github-project-automation github-project-automation Bot moved this from Pending Merge | Prioritized to Done in Foundational Infrastructure Working Group Jul 9, 2026
@strehle strehle deleted the alert-autofix-4 branch July 10, 2026 16:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Development

Successfully merging this pull request may close these issues.

2 participants