Skip to content

Potential fix for code scanning alert no. 5: Workflow does not contain permissions#28

Merged
linus merged 1 commit into
mainfrom
alert-autofix-5
Dec 1, 2025
Merged

Potential fix for code scanning alert no. 5: Workflow does not contain permissions#28
linus merged 1 commit into
mainfrom
alert-autofix-5

Conversation

@linus

@linus linus commented Dec 1, 2025

Copy link
Copy Markdown
Owner

Potential fix for https://github.com/linus/testy/security/code-scanning/5

To fix the problem, add a permissions block to the workflow file .github/workflows/npm.yml. This block should be placed at the root level (alongside name and on) to apply to all jobs unless overridden. For NPM publishing by workflow, write access to repo contents is not required; the workflow merely needs to be able to check-out code (read), install dependencies, run tests, and publish to npm (which is handled by the npm token and does not require GitHub API permissions). Therefore, the minimum required permission is likely contents: read. Insert the following block after name: NPM and before on::

permissions:
  contents: read

No additional imports, methods, or variable definitions are needed.


Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@linus linus marked this pull request as ready for review December 1, 2025 16:38
@linus linus merged commit 82a82ec into main Dec 1, 2025
13 checks passed
@linus linus deleted the alert-autofix-5 branch December 1, 2025 16:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant