Skip to content

Potential fix for code scanning alert no. 2: Workflow does not contain permissions#7

Merged
JosunLP merged 1 commit intodevelopmentfrom
alert-autofix-2
Jan 23, 2026
Merged

Potential fix for code scanning alert no. 2: Workflow does not contain permissions#7
JosunLP merged 1 commit intodevelopmentfrom
alert-autofix-2

Conversation

@JosunLP
Copy link
Copy Markdown
Collaborator

@JosunLP JosunLP commented Jan 23, 2026

Potential fix for https://github.com/bQuery/bQuery/security/code-scanning/2

In general, the fix is to add explicit permissions blocks to jobs (or at the workflow root) so that GITHUB_TOKEN has only the minimal rights required. For simple build/test jobs that only need to fetch source via actions/checkout, contents: read is sufficient. Jobs that publish packages or deploy pages can retain their more permissive, already‑declared permissions.

For this workflow, we should add permissions: contents: read to the build and build-docs jobs. This keeps existing functionality unchanged: actions/checkout@v4 works with contents: read, and the rest of the steps only run local commands (bun install, bun test, bun run build, bun run build:docs, actions/upload-pages-artifact@v3) that do not require extra GitHub permissions. The publish-npm and deploy-pages jobs already have appropriate explicit permissions and should be left as is.

Concretely:

  • In .github/workflows/npm-publish.yml, under jobs.build, insert: 
    permissions:
  contents: read
    at the same indentation level as runs-on.
  • Under jobs.build-docs, also insert: 
    permissions:
  contents: read
    at the same level as runs-on.

No additional imports, methods, or external definitions are required, since this is purely a workflow‑YAML change.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@JosunLP @github-advanced-security
Potential fix for code scanning alert no. 2: Workflow does not contai…
1ce2a36 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@JosunLP JosunLP changed the base branch from main to development January 23, 2026 23:06
@JosunLP JosunLP marked this pull request as ready for review January 23, 2026 23:07
Copilot AI review requested due to automatic review settings January 23, 2026 23:07
@JosunLP JosunLP merged commit b90eff2 into development Jan 23, 2026
8 checks passed
@JosunLP JosunLP deleted the alert-autofix-2 branch January 23, 2026 23:07
Copilot AI reviewed Jan 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Reduces default GITHUB_TOKEN privileges in the npm publish workflow to address the code scanning alert about missing explicit workflow/job permissions.

Changes:

  • Adds permissions: contents: read to the build job.
  • Adds permissions: contents: read to the build-docs job.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JosunLP