Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Renovate | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - name: Get token | ||
| id: get_token | ||
| uses: actions/create-github-app-token@v2 | ||
| with: | ||
| private-key: ${{ secrets.RENOVATE_PRIVATE_KEY }} | ||
| app-id: ${{ secrets.RENOVATE_APP_ID }} | ||
| owner: "splunk-platform-apps" | ||
| # The owner of the GitHub App installation | ||
| - name: Self-hosted Renovate | ||
| uses: renovatebot/github-action@v46.1.4 | ||
| env: | ||
| LOG_LEVEL: debug | ||
| # Onboarding not needed for self-hosted usage | ||
| RENOVATE_ONBOARDING: "false" | ||
| with: | ||
| configurationFile: .github/renovate-config.js | ||
| token: '${{ steps.get_token.outputs.token }}' |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 17 hours ago
In general, the fix is to add an explicit permissions block that grants only the minimal required scopes to GITHUB_TOKEN. This can be done at the top level of the workflow (applies to all jobs) or per job. For this single-job workflow, either is fine; adding permissions at the root is simplest and keeps the job body unchanged.
Best minimal fix without altering existing functionality:
- Add a
permissionsblock at the root level (same indentation ason:andjobs:) afterconcurrency: renovate(or before, as long as indentation is correct). - Start from
contents: readas the minimal baseline. Renovate usually needs to read repository contents and may also need to open or update pull requests. However, Renovate in this setup appears to use a GitHub App token (steps.get_token.outputs.token) for its write operations, so theGITHUB_TOKENitself can safely be read-only unless the workflow uses it elsewhere (it does not in the shown snippet). - Thus, define:
permissions: contents: read
- No imports or additional methods are needed; this is a pure YAML configuration change.
This change should be placed in .github/workflows/renovate.yml after line 9 (concurrency: renovate) to keep the file structure clear and avoid altering job logic.
| @@ -7,6 +7,8 @@ | ||
| workflow_dispatch: | ||
|
|
||
| concurrency: renovate | ||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| renovate: |
1 participant
👉 Please ensure your pull request (PR) adheres to our Contribution Guidelines 👈
Pull Request Checklist
Please check if your PR fulfills the following requirements:
docs/readme.mdhas been reviewed and updated if needed (for bug fixes / features)mainbranch of the forked repo. Create separate feature branch for raising the PRPull Request Type
Please check the type of change your PR introduces:
Security Considerations (REQUIRED)
docs/readme.mdall methods (eg, OAuth) used to authenticatewith the service that the add-on is integrating with
Release Notes (REQUIRED)
Thanks for contributing! ❤️