Skip to content

Comments

Potential fix for code scanning alert no. 1: Workflow does not contain permissions#46

Merged
moshie merged 1 commit intomainfrom
update-performance-workflow-permissions
Dec 18, 2025
Merged

Potential fix for code scanning alert no. 1: Workflow does not contain permissions#46
moshie merged 1 commit intomainfrom
update-performance-workflow-permissions

Conversation

@moshie
Copy link
Owner

@moshie moshie commented Dec 18, 2025

Potential fix for https://github.com/moshie/deep-redact/security/code-scanning/1

The best way to fix the problem is to explicitly set the permissions key at either the workflow root or job level (for benchmark). Since only the benchmark job exists, either location suffices. The minimal required permissions must enable the actions that need them. In this workflow, the code is pushing to the gh-pages branch (using the provided github-token) and using the cache action, which requires contents: write for pushing workflow results (to gh-pages), plus actions: read and/or id-token: write depending on the caching implementation. However, strictly for pushing via GITHUB_TOKEN, contents: write is normally sufficient. The safest minimal starting point, as recommended, is:

permissions:
  contents: write

This should be added at the job level under benchmark:, just below name: Performance regression check.


Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@changeset-bot
Copy link

changeset-bot bot commented Dec 18, 2025

⚠️ No Changeset found

Latest commit: 50434e3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@moshie moshie self-assigned this Dec 18, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 18, 2025

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 100% (🎯 100%) 83 / 83
🔵 Statements 100% (🎯 100%) 84 / 84
🔵 Functions 100% (🎯 100%) 8 / 8
🔵 Branches 100% (🎯 100%) 64 / 64
File CoverageNo changed files found.
Generated in workflow #61 for commit 50434e3 by the Vitest Coverage Report Action

@moshie moshie marked this pull request as ready for review December 18, 2025 20:38
@moshie moshie merged commit 1a001f9 into main Dec 18, 2025
8 checks passed
@moshie moshie deleted the update-performance-workflow-permissions branch December 18, 2025 20:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant