Skip to content

Potential fix for code scanning alert no. 12: Workflow does not contain permissions#6130

Merged
dmetzner merged 1 commit intodevelopfrom
alert-autofix-12
Jan 26, 2026
Merged

Potential fix for code scanning alert no. 12: Workflow does not contain permissions#6130
dmetzner merged 1 commit intodevelopfrom
alert-autofix-12

Conversation

@dmetzner
Copy link
Collaborator

@dmetzner dmetzner commented Jan 25, 2026

Potential fix for https://github.com/Catrobat/Catroweb/security/code-scanning/12

In general, this issue is fixed by explicitly declaring a permissions block in the workflow (either at the top level or per job) and restricting the GITHUB_TOKEN to the minimal scopes required. For this deployment workflow, the steps only need to read repository contents to perform a checkout; the deployment itself is done via SSH using secrets, so no write scopes on the GITHUB_TOKEN are necessary.

The best minimal fix without changing existing functionality is to add a workflow-level permissions block directly under the name: Deployment line, setting contents: read. This will apply to all jobs (including deploy) that do not override permissions. No other scopes appear necessary based on the shown code. Concretely, in .github/workflows/deployment.yaml, insert:

permissions:
  contents: read

after line 9 (name: Deployment). No imports or other definitions are needed since this is a YAML configuration change only.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@dmetzner @github-advanced-security
Potential fix for code scanning alert no. 12: Workflow does not conta…
b7e01f4 
…in permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@dmetzner dmetzner marked this pull request as ready for review January 25, 2026 16:29
@codecov
Copy link

codecov bot commented Jan 25, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 50.01%. Comparing base (f2461a4) to head (b7e01f4).
⚠️ Report is 12 commits behind head on develop.

Additional details and impacted files 
@@            Coverage Diff             @@
##             develop    #6130   +/-   ##
==========================================
  Coverage      50.00%   50.01%           
  Complexity      7481     7481           
==========================================
  Files            722      722           
  Lines          24100    24100           
==========================================
+ Hits           12051    12053    +2     
+ Misses         12049    12047    -2
Flag Coverage Δ
behat 47.70% <ø> (+<0.01%) ⬆️
phpunit 10.18% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@dmetzner dmetzner merged commit ad7cdd0 into develop Jan 26, 2026
50 of 51 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dmetzner