Skip to content

Update 8hobbies/workflows digest to 816c71c #317

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
renovate merged 1 commit into from
Apr 5, 2026
Merged

Update 8hobbies/workflows digest to 816c71c #317

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,4 @@

jobs:
lint:
uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@ad34dcf4277cc2e1f3ee68482120e6cfe9033655
uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@816c71c37d500c15bb9f7681c9230d4a0ef63a66

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 5 days ago

In general, to fix this kind of issue, you add a permissions: block either at the top level of the workflow (to apply to all jobs) or under the specific job, specifying the minimal GITHUB_TOKEN scopes needed. For a lint job that only needs to read the repository to run lint checks, contents: read is typically sufficient; if it needs to read from GitHub Packages, packages: read can also be included.

For this specific workflow, we should add a root‑level permissions block just below the name: (or above jobs:) to document and enforce least privilege across all jobs (currently just lint). Since the job is a reusable workflow invocation and there is no evidence it needs write access, we will set contents: read. This does not change any functional behavior other than restricting any unintended write capabilities of GITHUB_TOKEN. No imports or additional methods are needed, as this is purely a YAML configuration change in .github/workflows/lint.yml.

Concretely:

  • Edit .github/workflows/lint.yml.

  • Insert:

    permissions:
  contents: read

    between the on: block and the jobs: block (or just after name: Lint and before on:; both are valid, but placing it after on: keeps the structure clear).

  • Leave the existing jobs.lint.uses line unchanged.

Suggested changeset 1
.github/workflows/lint.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -20,6 +20,9 @@
   pull_request:
     branches: ["master"]
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@816c71c37d500c15bb9f7681c9230d4a0ef63a66
EOF
@@ -20,6 +20,9 @@
pull_request:
branches: ["master"]

permissions:
contents: read

jobs:
lint:
uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@816c71c37d500c15bb9f7681c9230d4a0ef63a66
Copilot is powered by AI and may make mistakes. Always verify output.
2 changes: 1 addition & 1 deletion .github/workflows/pages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,4 +25,4 @@ jobs:
permissions:
pages: write
id-token: write
uses: 8hobbies/workflows/.github/workflows/npm-doc-pages.yml@ad34dcf4277cc2e1f3ee68482120e6cfe9033655
uses: 8hobbies/workflows/.github/workflows/npm-doc-pages.yml@816c71c37d500c15bb9f7681c9230d4a0ef63a66
2 changes: 1 addition & 1 deletion .github/workflows/publish-dry-run.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,4 @@

jobs:
run:
uses: 8hobbies/workflows/.github/workflows/npm-publish-dry-run.yml@ad34dcf4277cc2e1f3ee68482120e6cfe9033655
uses: 8hobbies/workflows/.github/workflows/npm-publish-dry-run.yml@816c71c37d500c15bb9f7681c9230d4a0ef63a66

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 5 days ago

In general, the problem is fixed by adding an explicit permissions block that grants only the minimum required scopes for the workflow, either at the top level (applies to all jobs) or within the specific job. For a publish dry-run workflow that runs a reusable workflow and typically only needs to read repository contents, starting with contents: read at the workflow level is a safe least-privilege default unless additional scopes are clearly required.

For this specific file, the best fix without changing functionality is to add a top-level permissions block after the on: section and before jobs:. Since the shown workflow only calls a reusable workflow and we have no evidence it needs write access from this caller, we will restrict GITHUB_TOKEN to contents: read, which is the minimal common setting and matches GitHub’s recommended baseline. If the reusable workflow requires more permissions, they can be granted within that reusable workflow itself, keeping this entrypoint conservative.

Concretely, in .github/workflows/publish-dry-run.yml, insert:

permissions:
  contents: read

between the on: block (lines 17–21) and the jobs: key (line 23). No imports or additional definitions are needed.

Suggested changeset 1
.github/workflows/publish-dry-run.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/publish-dry-run.yml b/.github/workflows/publish-dry-run.yml
--- a/.github/workflows/publish-dry-run.yml
+++ b/.github/workflows/publish-dry-run.yml
@@ -20,6 +20,9 @@
   pull_request:
     branches: ["master"]
 
+permissions:
+  contents: read
+
 jobs:
   run:
     uses: 8hobbies/workflows/.github/workflows/npm-publish-dry-run.yml@816c71c37d500c15bb9f7681c9230d4a0ef63a66
EOF
@@ -20,6 +20,9 @@
pull_request:
branches: ["master"]

permissions:
contents: read

jobs:
run:
uses: 8hobbies/workflows/.github/workflows/npm-publish-dry-run.yml@816c71c37d500c15bb9f7681c9230d4a0ef63a66
Copilot is powered by AI and may make mistakes. Always verify output.
2 changes: 1 addition & 1 deletion .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,6 @@
tags: ["v*"]
jobs:
build:
uses: 8hobbies/workflows/.github/workflows/npm-publish.yml@ad34dcf4277cc2e1f3ee68482120e6cfe9033655
uses: 8hobbies/workflows/.github/workflows/npm-publish.yml@816c71c37d500c15bb9f7681c9230d4a0ef63a66
secrets:
npm-auth-token: ${{ secrets.NPM_TOKEN }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
2 changes: 1 addition & 1 deletion .github/workflows/runtime.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,4 @@

jobs:
test:
uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@ad34dcf4277cc2e1f3ee68482120e6cfe9033655
uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@816c71c37d500c15bb9f7681c9230d4a0ef63a66

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 5 days ago

Generally, the fix is to add an explicit permissions block that grants only the minimal required scopes to GITHUB_TOKEN. This can be set at the workflow root (applies to all jobs unless overridden) or at the job level. Since we are not changing functionality and do not know the exact needs of the reusable workflow, the safest minimal baseline matching GitHub’s read-only default is:

permissions:
  contents: read

This documents that the workflow only expects read access to repository contents unless further scopes are added later.

The best minimally invasive fix here is to add a root-level permissions block just after the on: section (before jobs:) in .github/workflows/runtime.yml. This will apply to the test job that calls the reusable workflow without altering the structure or behavior of the workflow, other than potentially reducing unnecessary write privileges. No imports or additional definitions are required; it is a pure YAML configuration change within this file.

Suggested changeset 1
.github/workflows/runtime.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/runtime.yml b/.github/workflows/runtime.yml
--- a/.github/workflows/runtime.yml
+++ b/.github/workflows/runtime.yml
@@ -20,6 +20,9 @@
   pull_request:
     branches: ["master"]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@816c71c37d500c15bb9f7681c9230d4a0ef63a66
EOF
@@ -20,6 +20,9 @@
pull_request:
branches: ["master"]

permissions:
contents: read

jobs:
test:
uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@816c71c37d500c15bb9f7681c9230d4a0ef63a66
Copilot is powered by AI and may make mistakes. Always verify output.
Loading