Skip to content

chore(ci): pin cicd-workflows reusable workflows to commit SHA #112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
AlexanderLanin wants to merge 1 commit into from
Closed

chore(ci): pin cicd-workflows reusable workflows to commit SHA #112

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/build_qnx.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
fail-fast: false
matrix:
bazel-config: [bl-x86_64-qnx, bl-aarch64-qnx]
uses: eclipse-score/cicd-workflows/.github/workflows/qnx-build.yml@main
uses: eclipse-score/cicd-workflows/.github/workflows/qnx-build.yml@c1c90b1a82a1fab0fc202979dde6686b2162d5a8 # v0.0.0
permissions:
contents: read
pull-requests: read
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/copyright.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,4 @@
types: [checks_requested]
jobs:
copyright-check:
uses: eclipse-score/cicd-workflows/.github/workflows/copyright.yml@main
uses: eclipse-score/cicd-workflows/.github/workflows/copyright.yml@c1c90b1a82a1fab0fc202979dde6686b2162d5a8 # v0.0.0

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 8 days ago

To fix the problem, explicitly declare a permissions: block that grants the minimal required access for this workflow. Since this workflow only triggers copyright checks using a reusable workflow and there is no evidence it needs to write to the repository, a safe minimal default is read‑only repository contents. This is typically expressed as permissions: contents: read at the workflow root so it applies to all jobs, including the copyright-check job that reuses another workflow.

Concretely, in .github/workflows/copyright.yml, add a permissions: section after the name: (or before jobs:) and set contents: read. This will ensure that, unless the reusable workflow further expands permissions, the GITHUB_TOKEN used by this workflow is restricted to reading repository contents only. No additional imports or external dependencies are needed; this is purely a YAML configuration change within the workflow file and does not alter existing functionality of the copyright checks.

Suggested changeset 1
.github/workflows/copyright.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/copyright.yml b/.github/workflows/copyright.yml
--- a/.github/workflows/copyright.yml
+++ b/.github/workflows/copyright.yml
@@ -11,6 +11,8 @@
 # SPDX-License-Identifier: Apache-2.0
 # *******************************************************************************
 name: Copyright checks
+permissions:
+  contents: read
 on:
   pull_request:
     types: [opened, reopened, synchronize]
EOF
@@ -11,6 +11,8 @@
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************
name: Copyright checks
permissions:
contents: read
on:
pull_request:
types: [opened, reopened, synchronize]
Copilot is powered by AI and may make mistakes. Always verify output.
2 changes: 1 addition & 1 deletion .github/workflows/format.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@
types: [checks_requested]
jobs:
formatting-check:
uses: eclipse-score/cicd-workflows/.github/workflows/format.yml@main
uses: eclipse-score/cicd-workflows/.github/workflows/format.yml@c1c90b1a82a1fab0fc202979dde6686b2162d5a8 # v0.0.0
clang-format:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/test_and_docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ on:
types: [checks_requested]
jobs:
docs-verify:
uses: eclipse-score/cicd-workflows/.github/workflows/docs-verify.yml@main
uses: eclipse-score/cicd-workflows/.github/workflows/docs-verify.yml@c1c90b1a82a1fab0fc202979dde6686b2162d5a8 # v0.0.0
permissions:
pull-requests: write
contents: read
Expand All @@ -35,7 +35,7 @@ jobs:
# TODO skipping tests as we don't integrate test results in docs anyways
docs-build:
needs: [docs-verify]
uses: eclipse-score/cicd-workflows/.github/workflows/docs.yml@main
uses: eclipse-score/cicd-workflows/.github/workflows/docs.yml@c1c90b1a82a1fab0fc202979dde6686b2162d5a8 # v0.0.0
permissions:
contents: write
pages: write
Expand Down
Loading