Skip to content

Commit 1042abe

Browse files
qdequippegithub-advanced-security[bot]
qdequippe
and
github-advanced-security[bot]
authored
Potential fix for code scanning alert no. 4: Workflow does not contain permissions (#44)
Potential fix for [https://github.com/qdequippe-tech/yousign-php-api/security/code-scanning/4](https://github.com/qdequippe-tech/yousign-php-api/security/code-scanning/4) In general, to fix this issue you explicitly declare a `permissions` block either at the workflow root (applies to all jobs) or at the job level, and grant only the minimum scopes required. For this workflow, the main sensitive operation is the `Create Pull Request` step using `peter-evans/create-pull-request@v8`. According to the action’s documentation and GitHub’s permission model, it needs `contents: write` to push branches/commits and `pull-requests: write` to open/update PRs. The earlier steps (checkout, dependency install, code generation, formatting) only need read access to repository contents. The minimal, non-breaking change is to add a `permissions` block under the `check-spec` job, at the same indentation level as `name` and `runs-on`. That way, we don’t affect any other workflows and we ensure this job has exactly the needed permissions. Concretely, in `.github/workflows/diff-spec.yml`, after line 11 (`runs-on: ubuntu-latest`), insert: ```yaml permissions: contents: write pull-requests: write ``` No imports or additional methods are needed because this is pure YAML configuration. Existing functionality is preserved: the job can still push generated changes and create/update pull requests, while no broader permissions are implicitly granted. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
1 parent 1bce206 commit 1042abe

1 file changed

Lines changed: 3 additions & 0 deletions

File tree

.github/workflows/diff-spec.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@ jobs:
99
check-spec:
1010
name: Check SDK is in sync with spec
1111
runs-on: ubuntu-latest
12+
permissions:
13+
contents: write
14+
pull-requests: write
1215
steps:
1316
- name: Checkout
1417
uses: actions/checkout@v6

0 commit comments

Comments
 (0)