Skip to content

Potential fix for code scanning alert no. 1: Workflow does not contain permissions#16

Merged
revarbat merged 1 commit into
mainfrom
alert-autofix-1
May 18, 2026
Merged

Potential fix for code scanning alert no. 1: Workflow does not contain permissions#16
revarbat merged 1 commit into
mainfrom
alert-autofix-1

Conversation

@revarbat

Copy link
Copy Markdown
Member

Potential fix for https://github.com/BelfrySCAD/openscad_parser/security/code-scanning/1

Add an explicit permissions block at the workflow root so every job gets least-privilege defaults, then keep/override per-job permissions where required.

Best fix here (without changing behavior):

  • In .github/workflows/publish.yml, add top-level:
    • permissions:
    • contents: read
  • Keep publish job’s existing permissions: id-token: write unchanged, since PyPI trusted publishing needs OIDC token write.
    This resolves the CodeQL finding for build and documents default token scope clearly.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@revarbat
revarbat marked this pull request as ready for review May 18, 2026 09:55
@revarbat
revarbat merged commit 07db7e0 into main May 18, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant