Potential fix for code scanning alert no. 7: Workflow does not contain permissions #313
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…n permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
jazzsequence
added a commit
that referenced
this pull request
Sep 17, 2025
* Prepare 1.4.4-dev * Bump pantheon-systems/wpunit-helpers from 2.0.0 to 2.0.2 (#305) Bumps [pantheon-systems/wpunit-helpers](https://github.com/pantheon-systems/wpunit-helpers) from 2.0.0 to 2.0.2. - [Release notes](https://github.com/pantheon-systems/wpunit-helpers/releases) - [Commits](pantheon-systems/wpunit-helpers@v2.0.0...v2.0.2) --- updated-dependencies: - dependency-name: pantheon-systems/wpunit-helpers dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump pantheon-systems/pantheon-wp-coding-standards from 2.0.1 to 2.0.3 (#304) Bumps [pantheon-systems/pantheon-wp-coding-standards](https://github.com/pantheon-systems/Pantheon-WP-Coding-Standards) from 2.0.1 to 2.0.3. - [Release notes](https://github.com/pantheon-systems/Pantheon-WP-Coding-Standards/releases) - [Commits](pantheon-systems/Pantheon-WP-Coding-Standards@2.0.1...2.0.3) --- updated-dependencies: - dependency-name: pantheon-systems/pantheon-wp-coding-standards dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump yoast/phpunit-polyfills from 2.0.0 to 3.1.1 (#306) Bumps [yoast/phpunit-polyfills](https://github.com/Yoast/PHPUnit-Polyfills) from 2.0.0 to 3.1.1. - [Release notes](https://github.com/Yoast/PHPUnit-Polyfills/releases) - [Changelog](https://github.com/Yoast/PHPUnit-Polyfills/blob/3.x/CHANGELOG.md) - [Commits](Yoast/PHPUnit-Polyfills@2.0.0...3.1.1) --- updated-dependencies: - dependency-name: yoast/phpunit-polyfills dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump yoast/phpunit-polyfills from 3.1.1 to 4.0.0 (#307) Bumps [yoast/phpunit-polyfills](https://github.com/Yoast/PHPUnit-Polyfills) from 3.1.1 to 4.0.0. - [Release notes](https://github.com/Yoast/PHPUnit-Polyfills/releases) - [Changelog](https://github.com/Yoast/PHPUnit-Polyfills/blob/4.x/CHANGELOG.md) - [Commits](Yoast/PHPUnit-Polyfills@3.1.1...4.0.0) --- updated-dependencies: - dependency-name: yoast/phpunit-polyfills dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Updates readme files * Updates tested up in readme.txt * Updates readme for blank line * Adds php 8.4 in the lint test * Updates readme files * Updates readme * Updates readme * SITE-5253 Update plugin name (#312) * update plugin name * update changelog * bump version * install wp unit tests * set scripts to executable * use the composer test script * install svn * install wp-cli * bump mariadb version * set password to empty string * create the database in setup * use mysql command instead of mariadb * update the password after database creation * use root@localhost * bump tested up to * update behat upstream tests * Bump pantheon-systems/wpunit-helpers from 2.0.2 to 2.0.3 (#311) Bumps [pantheon-systems/wpunit-helpers](https://github.com/pantheon-systems/wpunit-helpers) from 2.0.2 to 2.0.3. - [Release notes](https://github.com/pantheon-systems/wpunit-helpers/releases) - [Commits](pantheon-systems/wpunit-helpers@v2.0.2...v2.0.3) --- updated-dependencies: - dependency-name: pantheon-systems/wpunit-helpers dependency-version: 2.0.3 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump pantheon-systems/pantheon-wp-coding-standards from 2.0.3 to 3.0.1 (#310) * Bump pantheon-systems/pantheon-wp-coding-standards from 2.0.3 to 3.0.1 Bumps [pantheon-systems/pantheon-wp-coding-standards](https://github.com/pantheon-systems/Pantheon-WP-Coding-Standards) from 2.0.3 to 3.0.1. - [Release notes](https://github.com/pantheon-systems/Pantheon-WP-Coding-Standards/releases) - [Commits](pantheon-systems/Pantheon-WP-Coding-Standards@2.0.3...3.0.1) --- updated-dependencies: - dependency-name: pantheon-systems/pantheon-wp-coding-standards dependency-version: 3.0.1 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> * linting fixes * need to use 2.0 coding standards for php 7.4 --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Chris Reynolds <[email protected]> * Update mu suggestion to be more defensive (#308) * Update README.md * update changelog * (somewhat) arbitrary change to kick the codeql checks we actually use main and release not develop and main. --------- Co-authored-by: Chris Reynolds <[email protected]> * Potential fix for code scanning alert no. 7: Workflow does not contain permissions (#313) Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Release 1.4.4 --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: Phil Tyler <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: anaispantheor <[email protected]> Co-authored-by: Chris Reynolds <[email protected]> Co-authored-by: Chris Reynolds <[email protected]> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: Pantheon Automation <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Potential fix for https://github.com/pantheon-systems/wp-native-php-sessions/security/code-scanning/7
To fix this problem, add an explicit
permissionsblock to the workflow definition. The best way to do this is to add thepermissionskey at the root level of.github/workflows/lint-test.yml, immediately below the workflowname. This block should setcontents: readas the minimal default. If any jobs require additional permissions (e.g. to write pull requests), those jobs should be individually annotated, but since all jobs in your workflow are performing read and test operations only, setting root-levelpermissions: contents: readis sufficient and safest.You only need to change the
.github/workflows/lint-test.ymlfile. No further code or dependencies are needed.Suggested fixes powered by Copilot Autofix. Review carefully before merging.