Conversation
* Feature/111 test1 (#44) * Update README.md * Fix branch * Fix docker tag * Other image tag
* Feature/111 test1 (#44) * Update README.md * Fix branch * Update dev from main (#47) * Release/v2.0.0 (#45) * Feature/111 test1 (#44) * Update README.md * Fix branch * Fix docker tag * Other image tag * Change tag regex (#46) * Change container tag release * Update docker-publish.yml * Update README.md
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Snapshot WarningsEnsure that dependencies are being submitted on PR branches. Re-running this action after a short time may resolve the issue. See the documentation for more information and troubleshooting advice. Scanned FilesNone |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Validate PR to main | ||
| if: github.base_ref == 'main' | ||
| run: | | ||
| SOURCE_BRANCH="${{ github.head_ref }}" | ||
| echo "PR Source Branch: $SOURCE_BRANCH" | ||
| echo "PR Target Branch: ${{ github.base_ref }}" | ||
|
|
||
| # Check if branch matches release/v{major}.{minor}.{patch} or hotfix/v{major}.{minor}.{patch} | ||
| if [[ ! "$SOURCE_BRANCH" =~ ^(release|hotfix)/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | ||
| echo "ERROR: PRs to main are only allowed from branches matching:" | ||
| echo " - release/v{major}.{minor}.{patch}" | ||
| echo " - hotfix/v{major}.{minor}.{patch}" | ||
| echo "Example: release/v1.2.3 or hotfix/v1.2.4" | ||
| exit 1 | ||
| fi | ||
|
|
||
| echo "✓ Branch validation passed" | ||
|
|
||
| - name: Print PR info | ||
| run: | | ||
| echo "PR Source Branch: ${{ github.head_ref }}" | ||
| echo "PR Target Branch: ${{ github.base_ref }}" | ||
| echo "From: ${{ github.head_ref }} -> To: ${{ github.base_ref }}" | ||
|
|
||
| echo "PR Reviewers:" | ||
| echo "Full PR JSON:" | ||
| echo '${{ toJson(github.event.pull_request) }}' |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the problem, we should explicitly declare permissions for the workflow/job so that the GITHUB_TOKEN is limited to the minimal required scopes. Since this workflow only needs to read pull request metadata and other context (which is covered by the built-in GITHUB_TOKEN with contents: read and default read access to PR data), we can safely restrict permissions to read-only on contents. We do not see any operations that write to issues, pull requests, contents, or other resources.
The best minimal fix without changing functionality is to add a permissions: block at the workflow root (top level, alongside name: and on:), so it applies to all jobs in this workflow. We will set contents: read, which is sufficient for reading repository content and leaves all write scopes disabled. No additional imports, actions, or methods are required; this is a pure YAML configuration change in .github/workflows/PR-validator.yml. The change will be inserted after the name: PR Validator line (line 1) and before the on: block (line 3).
| @@ -1,5 +1,8 @@ | ||
| name: PR Validator | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: |
1 participant
No description provided.