Conversation
* Update from upstream - 2026-03-18 * Update from upstream - 2026-03-18 * Update from upstream - 2026-03-18 * Update from upstream - 2026-03-19 * Update from upstream - 2026-03-19 * Potential fix for code scanning alert no. 7: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Update from upstream - 2026-03-27 * Update from upstream - 2026-03-30 --------- Co-authored-by: lambda-tooling+rie <[email protected]> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check source branch | ||
| run: | | ||
| SOURCE_BRANCH="${{ github.head_ref }}" | ||
| if [[ "$SOURCE_BRANCH" != "develop" ]]; then | ||
| echo "Error: Only pull requests from develop branch are allowed into main" | ||
| echo "Current source branch ($SOURCE_BRANCH)." | ||
| exit 1 | ||
| fi | ||
| echo "Source branch is develop - merge allowed" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 days ago
In general, this problem is fixed by explicitly defining a permissions: block for the workflow or for individual jobs, granting only the minimal scopes required. For a job that only reads context information (like github.head_ref) and doesn’t interact with repository contents, PRs, or issues, the least‑privilege configuration is to set contents: read at the workflow or job level (or even permissions: {} if no GitHub API access is needed, but contents: read is a common safe baseline).
For this specific file, the simplest non‑breaking fix is to add a root‑level permissions: block that applies to all jobs. The workflow only reads metadata and performs shell logic, so we can restrict the token to read‑only repository contents. Concretely, in .github/workflows/validate-branch-into-main.yaml, insert:
permissions:
contents: readbetween the name: section and the on: block (e.g., after line 2), leaving all job and step definitions unchanged. No imports or additional methods are needed since this is just a YAML configuration change and does not affect the workflow’s behavior.
| @@ -1,5 +1,8 @@ | ||
| name: Validate PR Branch into Main | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: |
4 participants
Update from upstream - 2026-03-18
Update from upstream - 2026-03-18
Update from upstream - 2026-03-18
Update from upstream - 2026-03-19
Update from upstream - 2026-03-19
Potential fix for code scanning alert no. 7: Workflow does not contain permissions
Update from upstream - 2026-03-27
Update from upstream - 2026-03-30
Issue #, if available:
Description of changes:
Merging changes from develop branch to main branch
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.