Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Copilot Autofix
AI 13 days ago
In general, the fix is to explicitly define a
permissions:block either at the workflow root (applies to all jobs) or inside the specific job. Since this workflow only defines a single job (approve) that simply calls a reusable workflow, the cleanest approach is to add a root-levelpermissions:section that grants only read access to repository contents, which is usually sufficient for Renovate approval logic driven by another workflow. If the reusable workflow needs additional scopes, they can be added there; here we keep the caller minimal.Concretely, in
.github/workflows/renovate-approve.yml, insert apermissions:block after thename:line and beforeon:. Use a minimal least-privilege setting such as:This ensures the
GITHUB_TOKENused by this workflow is explicitly limited and no longer depends on potentially broad repository defaults. No imports or additional methods are needed; only the YAML structure changes.