Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: [self-hosted, deploy] | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup tools | ||
| shell: bash | ||
| run: | | ||
| python3 -m pip install --upgrade pip | ||
| pip install ansible | ||
| sudo apt-get update -y || true | ||
| sudo apt-get install -y jq || true | ||
|
|
||
| - name: Download release artifacts (wheel) for tag | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| shell: bash | ||
| run: | | ||
| TAG="${{ inputs.tag }}" | ||
| mkdir -p dist | ||
| # Use GitHub CLI (preinstalled on many runners; if not, install it) | ||
| if ! command -v gh >/dev/null 2>&1; then | ||
| echo "gh CLI not found. Install gh on the deploy runner for best results." | ||
| exit 1 | ||
| fi | ||
| gh release download "$TAG" --dir dist --pattern "*.whl" | ||
| ls -la dist | ||
| WHEEL=$(ls dist/*.whl | head -n 1) | ||
| echo "WHEEL=$WHEEL" >> "$GITHUB_ENV" | ||
|
|
||
| - name: Deploy via Ansible | ||
| env: | ||
| ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }} | ||
| shell: bash | ||
| run: | | ||
| echo "$ANSIBLE_VAULT_PASSWORD" > /tmp/.vault_pass | ||
| VERSION="${{ inputs.tag }}" | ||
| VERSION="${VERSION#v}" | ||
|
|
||
| ansible-playbook -i ansible/inventory/${{ inputs.environment }}/hosts.ini \ | ||
| ansible/playbooks/site.yml \ | ||
| --extra-vars "pytrader_version=${VERSION} pytrader_wheel_src=${WHEEL}" \ | ||
| --vault-password-file /tmp/.vault_pass |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the problem, explicitly restrict the GITHUB_TOKEN permissions in this workflow to the minimum needed. In this case, the job needs to read repository contents and releases to download a wheel asset, and it does not perform any write operations via the GitHub API.
The best fix is to add a permissions: block at the workflow (root) level so that it applies to all jobs that don’t override it. We can set contents: read as recommended by CodeQL; this is sufficient for actions/checkout and gh release download to function. No other scopes (like issues, pull-requests, etc.) are required by the shown steps.
Concretely, in .github/workflows/deploy.yml, add a permissions: section after the name: deploy line and before the on: block. No additional imports or methods are needed since this is a YAML workflow configuration change only.
| @@ -1,5 +1,8 @@ | ||
| name: deploy | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: |
1 participant
No description provided.