Skip to content

Potential fix for code scanning alert no. 3: Workflow does not contain permissions #439

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
thpierce merged 2 commits into from
Oct 14, 2025
Merged

Potential fix for code scanning alert no. 3: Workflow does not contain permissions #439

thpierce merged 2 commits into from
Oct 14, 2025

Conversation

@thpierce
Copy link
Contributor

@thpierce thpierce commented Oct 14, 2025

Potential fix for https://github.com/aws/aws-xray-sdk-java/security/code-scanning/3

To address the problem, add an explicit permissions: block to restrict the GITHUB_TOKEN permissions for the job or the workflow. Since all steps in the build job only need to fetch source code and push artifacts (actions like actions/upload-artifact and codecov/codecov-action do not require repository write permissions), the minimum required is typically contents: read. This block can be added either at the top level (for all jobs) or under the build job if you want job-specific granularity. Here, for clarity and minimal change, add it under the build job, immediately after the job name.

No new methods, imports, or definitions are needed; only a change to the YAML workflow file itself.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@thpierce @github-advanced-security
Potential fix for code scanning alert no. 3: Workflow does not contai…
a0fe2ec 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@thpierce thpierce marked this pull request as ready for review October 14, 2025 16:42
@thpierce thpierce requested a review from a team as a code owner October 14, 2025 16:42
@thpierce thpierce merged commit daf394e into master Oct 14, 2025
8 checks passed
@thpierce thpierce deleted the alert-autofix-3 branch October 14, 2025 20:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jj22ee jj22ee jj22ee approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thpierce @jj22ee