Rename OpenGood org references, add Claude Code, Neo4j packages#29
Rename OpenGood org references, add Claude Code, Neo4j packages#29
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| jobs: | ||
| build: | ||
| uses: opengood-aio/central-workflows/.github/workflows/bash-bats-build.yml@main | ||
| uses: opengood-ai/central-workflows/.github/workflows/bash-bats-build.yml@main |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix the issue, explicitly define permissions for the workflow so that the GITHUB_TOKEN has only the minimal scopes required. Since this workflow delegates all work to a reusable workflow and we have no evidence that it needs write access, the safest default is to grant read-only access to repository contents and packages at the workflow root. This will apply to all jobs (including this build job) unless they define their own permissions block.
Concretely, in .github/workflows/build.yml, insert a permissions block between the name: and the on: sections. Use:
permissions:
contents: read
packages: readThis follows GitHub’s recommended minimal starting point, aligns with the example in the problem description, and does not change existing CI logic—only the token’s allowed operations are restricted, which is unlikely to break a typical build/test workflow that should not be modifying repository state.
| @@ -1,5 +1,9 @@ | ||
| name: build | ||
|
|
||
| permissions: | ||
| contents: read | ||
| packages: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: |
2 participants
No description provided.