Skip to content

Potential fix for code scanning alert no. 7: Workflow does not contain permissions#6128

Merged
dmetzner merged 1 commit intodevelopfrom
alert-autofix-7
Jan 23, 2026
Merged

Potential fix for code scanning alert no. 7: Workflow does not contain permissions#6128
dmetzner merged 1 commit intodevelopfrom
alert-autofix-7

Conversation

@dmetzner
Copy link
Collaborator

@dmetzner dmetzner commented Jan 23, 2026

Potential fix for https://github.com/Catrobat/Catroweb/security/code-scanning/7

In general, the fix is to add an explicit permissions block to the workflow (at the top level or within the specific job) and restrict the GITHUB_TOKEN to the minimal scopes required. This prevents the workflow from inheriting overly broad default repository/organization permissions.

For this workflow, the deploy-swagger-ui job needs to push generated static files to GitHub Pages via peaceiris/actions-gh-pages@v4, which requires write access to repository contents. The simplest, least-disruptive fix is to add a job-level permissions block under deploy-swagger-ui specifying contents: write. This both satisfies the CodeQL requirement and documents clearly what the token can do. No other permissions (issues, pull requests, etc.) are required based on the shown steps, so they should not be granted.

Concretely, in .github/workflows/deploy_api_spec.yaml, under jobs: > deploy-swagger-ui:, insert:

    permissions:
      contents: write

indented to match runs-on. No additional imports, methods, or external definitions are needed because this is a pure YAML configuration change within the existing workflow file.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@dmetzner @github-advanced-security
Potential fix for code scanning alert no. 7: Workflow does not contai…
556cc1b 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@dmetzner dmetzner marked this pull request as ready for review January 23, 2026 12:43
@dmetzner dmetzner merged commit 5c5cdde into develop Jan 23, 2026
16 checks passed
@codecov
Copy link

codecov bot commented Jan 23, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 50.01%. Comparing base (676aa4e) to head (556cc1b).
⚠️ Report is 5 commits behind head on develop.

Additional details and impacted files 
@@            Coverage Diff             @@
##             develop    #6128   +/-   ##
==========================================
  Coverage      50.00%   50.01%           
  Complexity      7481     7481           
==========================================
  Files            722      722           
  Lines          24100    24100           
==========================================
+ Hits           12051    12053    +2     
+ Misses         12049    12047    -2
Flag Coverage Δ
behat 47.70% <ø> (+<0.01%) ⬆️
phpunit 10.18% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dmetzner