Skip to content

Potential fix for code scanning alert no. 7: Workflow does not contain permissions #933

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

Potential fix for code scanning alert no. 7: Workflow does not contain permissions #933

wants to merge 3 commits into from

Conversation

tsundvoll
Copy link
Contributor

Potential fix for https://github.com/equinor/isar/security/code-scanning/7

General approach:
Explicitly add a permissions block to the workflow. This can be applied at the top level (affecting all jobs), or per-job (to tailor permissions individually). Since all jobs here automate project and issue/PR management, the minimal required permissions are likely contents: read, issues: write, and pull-requests: write.

Detailed changes:

  • Insert a permissions: block immediately after the name: or before the on: key, or at the start of the jobs: map.
  • Recommended configuration for this workflow is: 
    permissions:
  contents: read
  issues: write
  pull-requests: write
    This gives jobs read-only access to code and write access to issues and PRs, matching the automation tasks being performed.

Files/regions/lines to change:

  • Only .github/workflows/project_automations.yml.
  • Add the permissions: block right after the workflow name: and before on: to cover all jobs by default.

Requirements:

  • No new methods, imports, or definitions are needed, as this is a YAML metadata change.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

tsundvoll and others added 3 commits October 8, 2025 13:50
@tsundvoll @github-advanced-security
Workflow project_automations does not contain permissions
669a463 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@tsundvoll @github-advanced-security
Potential fix for code scanning alert no. 9: Workflow does not contai…
10b5f2a 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@tsundvoll @github-advanced-security
Workflow pythonpublish does not contain permissions
75881eb 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@tsundvoll tsundvoll closed this Oct 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tsundvoll