Skip to content

Potential fix for code scanning alert no. 18: Workflow does not contain permissions#178

Merged
sanason merged 1 commit intomasterfrom
alert-autofix-18
Jan 27, 2026
Merged

Potential fix for code scanning alert no. 18: Workflow does not contain permissions#178
sanason merged 1 commit intomasterfrom
alert-autofix-18

Conversation

@sanason
Copy link
Contributor

@sanason sanason commented Jan 9, 2026

Potential fix for https://github.com/digital-analytics-program/gov-wide-code/security/code-scanning/18

In general, to fix this problem you should add a permissions block either at the root of the workflow (to apply to all jobs) or within the specific job that CodeQL flagged. The block should grant only the minimal scopes needed; for a simple lint job that just checks out code and runs npm commands, contents: read is typically sufficient.

For this specific workflow (.github/workflows/ci.yml), the minimal and least-invasive change is to add a permissions stanza under the lint job, right alongside runs-on. This keeps the change tightly scoped while not altering any existing steps or behavior. The result will look like:

jobs:
  lint:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      ...

No additional imports, methods, or definitions are needed, since permissions is a standard GitHub Actions workflow key. The only file to change is .github/workflows/ci.yml, and the only region to update is the lint job header around line 7.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@sanason @github-advanced-security
Potential fix for code scanning alert no. 18: Workflow does not conta…
76a6d4c 
…in permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@sanason sanason marked this pull request as ready for review January 9, 2026 15:26
@sanason sanason requested review from laurenancona and sfrederick-gsa-gov and removed request for sfrederick-gsa-gov January 9, 2026 15:27
@sanason
Copy link
Contributor Author

sanason commented Jan 9, 2026

@laurenancona
I am cleaning up security warnings in advance of the assessment and this fixes the last open warning.

laurenancona
laurenancona approved these changes Jan 27, 2026
View reviewed changes
Copy link
Contributor

@laurenancona laurenancona left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@sanason sanason merged commit 4e0cfe8 into master Jan 27, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@laurenancona laurenancona laurenancona approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sanason @laurenancona