Skip to content

Potential fix for code scanning alert no. 1: Workflow does not contain permissions#37

Closed
Dargon789 wants to merge 0 commit into
mainfrom
alert-autofix-1
Closed

Potential fix for code scanning alert no. 1: Workflow does not contain permissions#37
Dargon789 wants to merge 0 commit into
mainfrom
alert-autofix-1

Conversation

@Dargon789

@Dargon789 Dargon789 commented Mar 14, 2026

Copy link
Copy Markdown
Owner

Potential fix for https://github.com/Dargon789/account/security/code-scanning/1

In general, to fix this type of issue you add an explicit permissions block either at the workflow root or on each job, setting the least privileges required. Jobs that only read repository metadata or use github-script for read-only queries typically only need contents: read (and sometimes no special scopes beyond the default metadata: read).

For this workflow, the claude-assistant job already has explicit (and intentionally broad) permissions, so we should not change that job. The flagged job is check-permissions, which uses actions/github-script@v7 to call github.rest.repos.getCollaboratorPermissionLevel. That requires read access to repository contents/metadata, but no write access. The best fix is to add a permissions block under check-permissions with a minimal scope, e.g. contents: read. We keep everything else unchanged. Concretely, in .github/workflows/claude-code.yml under jobs:, inside check-permissions: and alongside name:, runs-on:, etc., add:

    permissions:
      contents: read

This ensures the GITHUB_TOKEN for that job is limited to read-only repository contents, satisfying CodeQL and the principle of least privilege without affecting current functionality.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Summary by Sourcery

Restrict the GitHub Actions workflow job token to read-only repository contents to address a code scanning permissions alert.

Bug Fixes:

  • Add minimal read-only contents permissions to the check-permissions job in the claude-code workflow to satisfy security scanning and least-privilege requirements.

CI:

  • Update the claude-code GitHub Actions workflow to define explicit read-only permissions for the check-permissions job.

@vercel

This comment was marked as resolved.

@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

@sourcery-ai

sourcery-ai Bot commented Mar 14, 2026

Copy link
Copy Markdown
Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Adds an explicit, least-privilege permissions block to the check-permissions job in the Claude GitHub Actions workflow to satisfy a code scanning alert without altering job behavior.

Flow diagram for check-permissions job with explicit read-only token

flowchart TD
  A[Workflow_triggered] --> B[Start_check-permissions_job]
  B --> C[Provision_runner_ubuntu-latest]
  C --> D[Issue_GITHUB_TOKEN_with_permissions_contents_read]
  D --> E[Run_actions/github-script_v7]
  E --> F[Call_GitHub_API_repos_getCollaboratorPermissionLevel]
  F --> G[Set_output_has-permission]
  G --> H[Downstream_jobs_read_has-permission_output]
Loading

File-Level Changes

Change Details Files
Restrict the check-permissions GitHub Actions job to read-only repository contents via an explicit permissions block.
  • Add a permissions section under the check-permissions job in the Claude workflow
  • Grant contents: read to the GITHUB_TOKEN for the check-permissions job only, leaving other jobs unchanged
.github/workflows/claude-code.yml

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@snyk-io

snyk-io Bot commented Mar 14, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@Dargon789 Dargon789 marked this pull request as ready for review March 14, 2026 09:41

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've reviewed your changes and they look great!


Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@Dargon789

Copy link
Copy Markdown
Owner Author

@Mergifyio refresh

@mergify

mergify Bot commented Mar 14, 2026

Copy link
Copy Markdown

refresh

✅ Pull request refreshed

@Dargon789

Copy link
Copy Markdown
Owner Author

@Mergifyio refresh

@mergify

mergify Bot commented Mar 14, 2026

Copy link
Copy Markdown

refresh

✅ Pull request refreshed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant