Skip to content

Potential fix for code scanning alert no. 9: Workflow does not contain permissions#53

Draft
simongdavies wants to merge 1 commit into
mainfrom
alert-autofix-9
Draft

Potential fix for code scanning alert no. 9: Workflow does not contain permissions#53
simongdavies wants to merge 1 commit into
mainfrom
alert-autofix-9

Conversation

@simongdavies
Copy link
Copy Markdown
Member

@simongdavies simongdavies commented Jun 3, 2026

Potential fix for https://github.com/hyperlight-dev/cargo-hyperlight/security/code-scanning/9

Add an explicit permissions block to the validate job in .github/workflows/publish.yml, setting least privilege needed for its steps.

Best minimal fix without changing functionality:

  • In job validate (around lines 14–16), add:
    • permissions:
    • contents: read

Why this is best:

  • actions/checkout requires repository contents read access.
  • The version-check shell script only reads local metadata and does not call GitHub write APIs.
  • It addresses the exact CodeQL finding while preserving behavior.

No new imports, methods, or dependencies are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@simongdavies @github-advanced-security
Potential fix for code scanning alert no. 9: Workflow does not contai…
c1617e7 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@simongdavies