Skip to content

Potential fix for code scanning alert no. 3: Workflow does not contain permissions#3

Draft
MaryAndMoore wants to merge 1 commit into
mainfrom
alert-autofix-3
Draft

Potential fix for code scanning alert no. 3: Workflow does not contain permissions#3
MaryAndMoore wants to merge 1 commit into
mainfrom
alert-autofix-3

Conversation

@MaryAndMoore

@MaryAndMoore MaryAndMoore commented Mar 26, 2026

Copy link
Copy Markdown
Owner

Potential fix for https://github.com/MaryAndMoore/cookbook/security/code-scanning/3

To fix this, explicitly restrict the GITHUB_TOKEN permissions used by the workflow to the minimum required. Both nbfmt and nblint only need to read repository contents (for actions/checkout and git fetch); they do not need to write contents, manage issues, or access other scopes.

The simplest, non-breaking fix is to add a top-level permissions block in .github/workflows/notebooks.yaml (alongside name and on) with contents: read. This will apply to all jobs in the workflow that do not override it, covering both nbfmt and nblint without changing their steps. No additional imports, actions, or commands are needed.

Concretely, in .github/workflows/notebooks.yaml, after the name: Notebooks line, insert:

permissions:
  contents: read

Leave the rest of the file unchanged.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@MaryAndMoore @github-advanced-security
Potential fix for code scanning alert no. 3: Workflow does not contai…
901cc4a 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: MaryAndMoore <aryannedemoore@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MaryAndMoore