Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Verify main branch | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Check if tag is on main | ||
| run: | | ||
| git fetch origin main | ||
| if git merge-base --is-ancestor $GITHUB_SHA origin/main; then | ||
| echo "Tag is on main" | ||
| else | ||
| echo "Tag is NOT on main, skipping" | ||
| exit 1 | ||
| fi | ||
|
|
||
| build-native: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
The fix is to explicitly add a permissions block for the run-only-on-main-branch job, constraining it to the minimum required privilege. Since this job only checks the ancestry of a tag (via git), it does not require write access—just read access to the repository contents. Therefore, you should add permissions: contents: read to the run-only-on-main-branch job (under jobs: run-only-on-main-branch: and above steps:). No other changes are required. Repeat this pattern for any other similar jobs lacking permission specification, but in this snippet, only the flagged job needs to be changed.
| @@ -10,6 +10,8 @@ | ||
| run-only-on-main-branch: | ||
| name: Verify main branch | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: Checkout repository |
| name: Build on ${{ matrix.os }} | ||
| runs-on: ${{ matrix.os }} | ||
| needs: run-only-on-main-branch | ||
| strategy: | ||
| matrix: | ||
| os: [windows-latest, ubuntu-latest, macos-latest] | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up GraalVM | ||
| uses: graalvm/setup-graalvm@v1 | ||
| with: | ||
| java-version: "21" | ||
| distribution: "graalvm" | ||
|
|
||
| - name: Build native image | ||
| run: mvn -B clean package -Pnative | ||
|
|
||
| - name: Locate built executable | ||
| id: find_exe | ||
| shell: bash | ||
| run: | | ||
| mkdir dist | ||
|
|
||
| OS_NAME=${{ matrix.os }} | ||
| if [[ "$OS_NAME" == "windows-latest" ]]; then | ||
| BIN_PATH=$(find target -type f -name "jfiletreeprettyprinter.exe") | ||
| else | ||
| BIN_PATH=$(find target -type f -name "jfiletreeprettyprinter") | ||
| fi | ||
|
|
||
| echo "Found binary: $BIN_PATH" | ||
| cp "$BIN_PATH" dist/ | ||
| echo "bin_path=$BIN_PATH" >> $GITHUB_OUTPUT | ||
|
|
||
| - name: Zip executable | ||
| id: zip_exe | ||
| shell: bash | ||
| run: | | ||
| VERSION=${GITHUB_REF_NAME} | ||
| OS_NAME=${{ matrix.os }} | ||
| case "$OS_NAME" in | ||
| ubuntu-latest) SAFE_OS_NAME="linux" ;; | ||
| windows-latest) SAFE_OS_NAME="windows" ;; | ||
| macos-latest) SAFE_OS_NAME="macos" ;; | ||
| *) SAFE_OS_NAME="$OS_NAME" ;; | ||
| esac | ||
| ZIP_NAME="jfiletreeprettyprinter-${VERSION}-${SAFE_OS_NAME}.zip" | ||
| echo "Zip to create: $ZIP_NAME" | ||
|
|
||
| cd dist | ||
| if [[ "$SAFE_OS_NAME" == "windows" ]]; then | ||
| powershell Compress-Archive -Path * -DestinationPath "$ZIP_NAME" | ||
| else | ||
| tar -a -c -f "$ZIP_NAME" * | ||
| fi | ||
| echo "zip_path=dist/$ZIP_NAME" >> $GITHUB_OUTPUT | ||
| cd .. | ||
|
|
||
| - name: Upload artifact | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: release-zips-${{ matrix.os }} | ||
| path: ${{ steps.zip_exe.outputs.zip_path }} | ||
|
|
||
| release: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
The best and most secure way to resolve this problem is to add a permissions: block to the build-native job in the workflow YAML file at .github/workflows/create-github-release.yaml. Since the build-native job only performs code checkout, builds code, and uploads artifacts (but does not push code, manage releases, or require administrative privileges), the minimal contents: read permission is appropriate here. This limits the token permissions and aligns with GitHub's least privilege recommendations. No functional change or additional methods/imports are required—simply add:
permissions:
contents: readunder the build-native: job, at the same indentation level as name: ..., runs-on: ..., and strategy:.
| @@ -29,6 +29,8 @@ | ||
| name: Build on ${{ matrix.os }} | ||
| runs-on: ${{ matrix.os }} | ||
| needs: run-only-on-main-branch | ||
| permissions: | ||
| contents: read | ||
| strategy: | ||
| matrix: | ||
| os: [windows-latest, ubuntu-latest, macos-latest] |
|
1 participant
No description provided.