Skip to content

Potential fix for code scanning alert no. 4: Workflow does not contain permissions#11

Merged
johnpatrickroach merged 1 commit intomainfrom
alert-autofix-4
Mar 27, 2026
Merged

Potential fix for code scanning alert no. 4: Workflow does not contain permissions#11
johnpatrickroach merged 1 commit intomainfrom
alert-autofix-4

Conversation

@johnpatrickroach
Copy link
Copy Markdown
Owner

@johnpatrickroach johnpatrickroach commented Mar 27, 2026
edited by sourcery-ai bot
Loading

Potential fix for https://github.com/johnpatrickroach/better-anonymity/security/code-scanning/4

To fix this, explicitly restrict the GITHUB_TOKEN permissions for the workflow to the minimum required. This workflow only checks out code and uploads to PyPI using a separate secret, so it does not need any write permissions from GITHUB_TOKEN. The safest change is to set permissions: contents: read (or even permissions: {} at job level), but following CodeQL’s suggestion, we will use contents: read at the workflow root so it applies to all jobs.

Concretely, in .github/workflows/cd.yml, add a permissions: block near the top-level (alongside name and on). For example, insert:

permissions:
  contents: read

between the name: line and the on: block. This does not change any functionality of the workflow: it still checks out code and publishes to PyPI exactly as before, but the GITHUB_TOKEN will now be limited to read access to repository contents, satisfying the CodeQL rule and aligning with least-privilege principles. No new imports, steps, or methods are needed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Summary by Sourcery

CI:

  • Set explicit read-only contents permissions for the Publish to PyPI workflow's GITHUB_TOKEN.

@johnpatrickroach @github-advanced-security
Potential fix for code scanning alert no. 4: Workflow does not contai…
8266c3a 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: John Patrick Roach <johnpatrickroach1@gmail.com>
@sourcery-ai
Copy link
Copy Markdown

sourcery-ai bot commented Mar 27, 2026
edited
Loading

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR updates the GitHub Actions CD workflow to explicitly restrict the default GITHUB_TOKEN to read-only access to repository contents, addressing a CodeQL code scanning alert while preserving existing publish behavior.

File-Level Changes

Change Details Files
Restrict GitHub Actions workflow GITHUB_TOKEN permissions to least-privilege read-only contents access.
  • Add a top-level permissions block to the CD workflow YAML configuration.
  • Configure contents: read so the workflow’s GITHUB_TOKEN is limited to read-only access while keeping current steps and behavior unchanged.
 .github/workflows/cd.yml
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@johnpatrickroach johnpatrickroach marked this pull request as ready for review March 27, 2026 02:05
@johnpatrickroach johnpatrickroach merged commit 1b8f197 into main Mar 27, 2026
7 checks passed
@johnpatrickroach johnpatrickroach deleted the alert-autofix-4 branch March 27, 2026 02:05
sourcery-ai[bot]
sourcery-ai bot reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've reviewed your changes and they look great!

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@johnpatrickroach