Skip to content

Potential fix for code scanning alert no. 1: Workflow does not contain permissions#94

Merged
spkl merged 1 commit into
mainfrom
alert-autofix-1
Jul 4, 2026
Merged

Potential fix for code scanning alert no. 1: Workflow does not contain permissions#94
spkl merged 1 commit into
mainfrom
alert-autofix-1

Conversation

@spkl

@spkl spkl commented Jul 4, 2026

Copy link
Copy Markdown
Owner

Potential fix for https://github.com/spkl/CLI.IPC/security/code-scanning/1

Add an explicit permissions block to the workflow so the GITHUB_TOKEN is restricted to least privilege.
Best fix here: define permissions at the workflow root (applies to all jobs unless overridden), with contents: read as the minimal required scope for actions/checkout. This does not change existing functional behavior of build/pack/publish steps, since publishing uses secrets.NUGET_ORG_API_KEY, not GITHUB_TOKEN.

File to change: .github/workflows/nuget.yml
Region: after the on: triggers and before jobs:.
Change: insert:

permissions:
  contents: read

No imports, methods, or additional definitions are needed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@spkl spkl marked this pull request as ready for review July 4, 2026 11:09
@spkl spkl merged commit 815c647 into main Jul 4, 2026
6 checks passed
@spkl spkl deleted the alert-autofix-1 branch July 4, 2026 11:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant