chore(ci): pin cicd-workflows reusable workflows to commit SHA#112
chore(ci): pin cicd-workflows reusable workflows to commit SHA#112AlexanderLanin wants to merge 1 commit intomainfrom
Conversation
AlexanderLanin
requested review from
4og,
LittleHuba,
castler,
hoe-jo,
nradakovic and
ramceb
as code owners
AlexanderLanin
temporarily deployed
to
workflow-approval
GitHub Actions
Inactive
AlexanderLanin
temporarily deployed
to
workflow-approval
GitHub Actions
Inactive
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| jobs: | ||
| copyright-check: | ||
| uses: eclipse-score/cicd-workflows/.github/workflows/copyright.yml@main | ||
| uses: eclipse-score/cicd-workflows/.github/workflows/copyright.yml@c1c90b1a82a1fab0fc202979dde6686b2162d5a8 # v0.0.0 |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 days ago
To fix the problem, explicitly declare a permissions: block that grants the minimal required access for this workflow. Since this workflow only triggers copyright checks using a reusable workflow and there is no evidence it needs to write to the repository, a safe minimal default is read‑only repository contents. This is typically expressed as permissions: contents: read at the workflow root so it applies to all jobs, including the copyright-check job that reuses another workflow.
Concretely, in .github/workflows/copyright.yml, add a permissions: section after the name: (or before jobs:) and set contents: read. This will ensure that, unless the reusable workflow further expands permissions, the GITHUB_TOKEN used by this workflow is restricted to reading repository contents only. No additional imports or external dependencies are needed; this is purely a YAML configuration change within the workflow file and does not alter existing functionality of the copyright checks.
| @@ -11,6 +11,8 @@ | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
| # ******************************************************************************* | ||
| name: Copyright checks | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| pull_request: | ||
| types: [opened, reopened, synchronize] |
|
The created documentation from the pull request is available at: docu-html |
|
Merged in a3c843c |
2 participants
This PR is part of a large-scale CI refactoring across all S-CORE repositories.
See the tracking issue:
eclipse-score/cicd-workflows#75
It updates reusable workflow references from
eclipse-score/cicd-workflowsto the pinned commit SHA (tagged as
v0.0.0):c1c90b1a82a1fab0fc202979dde6686b2162d5a8 # v0.0.0Only the
@refpart of workflow calls is changed, for workflows under:eclipse-score/cicd-workflows/.github/workflows/*Pinning reusable workflows to a commit SHA ensures stable and reproducible CI
behavior instead of relying on a moving branch reference.
Part of eclipse-score/cicd-workflows#75