Commit 63ba7d9
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?v=4&size=40){kind=avatar}
CICD: Restrict permissions in .github/workflows/pr_build.yml (#4121)
Potential fix for
[https://github.com/StackExchange/dnscontrol/security/code-scanning/36](https://github.com/StackExchange/dnscontrol/security/code-scanning/36)
In general, the fix is to explicitly define `permissions` for the
`GITHUB_TOKEN` in the workflow, restricting it to the least privileges
needed. Since this workflow only checks out code, uses caches, runs
tests, uploads artifacts, and runs GoReleaser builds without creating
releases or pushing tags, it should only require read access to
repository contents.
The best way to fix this without changing existing functionality is to
add a `permissions` block near the top of the workflow (at the root
level, alongside `name`, `on`, and `env`). This will apply to all jobs
that do not override `permissions`. We should set `contents: read`,
which matches the minimal recommendation in the CodeQL message and is
sufficient for `actions/checkout` and other used actions. No additional
scopes (like `pull-requests: write` or `packages: write`) appear
necessary based on the provided snippet.
Concretely, in `.github/workflows/pr_build.yml`, after the `on:` block
(lines 6–15) and before the `env:` block (line 18), insert:
```yaml
permissions:
contents: read
```
No imports or additional definitions are needed; this is purely a YAML
configuration change.
_Suggested fixes powered by Copilot Autofix. Review carefully before
merging._
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>1 parent 4119ef6 commit 63ba7d9
1 file changed
+3
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
14 | 14 | | |
15 | 15 | | |
16 | 16 | | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
17 | 20 | | |
18 | 21 | | |
19 | 22 | | |
| |||
0 commit comments