Skip to content

Potential fix for code scanning alert no. 1: Workflow does not contain permissions#362

Open
garloff wants to merge 4 commits intomainfrom
fix/action-permission-autofix-1
Open

Potential fix for code scanning alert no. 1: Workflow does not contain permissions#362
garloff wants to merge 4 commits intomainfrom
fix/action-permission-autofix-1

Conversation

@garloff
Copy link
Member

@garloff garloff commented Dec 17, 2025

Potential fix for https://github.com/SovereignCloudStack/github-manager/security/code-scanning/1

To fix this issue, explicitly declare a permissions block to restrict the default power of the GITHUB_TOKEN for this workflow. Place it at the root level (top of the YAML, below the name: and on: blocks) so it applies to all jobs unless overridden. Since no steps require write access via the GITHUB_TOKEN, setting permissions: { contents: read } ensures only read access to repository contents, following the principle of least privilege.

Change to make:

  • At the root of .github/workflows/manage-github-repositories.yml (after name: or after on:), add: 
    permissions:
  contents: read
  • No other files or lines need changing, as no elevated permissions are required by the visible workflow steps.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

garloff and others added 3 commits December 17, 2025 09:25
@garloff @github-advanced-security
Potential fix for code scanning alert no. 1: Workflow does not contai…
58b108b 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Kurt Garloff <kurt@garloff.de>
@garloff
Merge branch 'main' into fix/action-permission-autofix-1
da40c71
@garloff
Merge branch 'main' into fix/action-permission-autofix-1
f811383
garloff
garloff commented Feb 4, 2026
View reviewed changes
Copy link
Member Author

@garloff garloff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Honestly, it's hard to judge for me.
I understand that gh-manager needs the ability to create repositories and to manage users -- and I don't find any matching permissions
Any gh pro wants to provide advice?

@garloff garloff marked this pull request as ready for review February 16, 2026 08:40
@garloff garloff requested a review from a team as a code owner February 16, 2026 08:40
@garloff
Copy link
Member Author

garloff commented Feb 16, 2026
edited
Loading

The "Test the management of github repositories" action (from @scoopex) succeeds on this branch, see
https://github.com/SovereignCloudStack/github-manager/actions/runs/22055780840/job/63723343667
I guess that means it's good to go?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@garloff