Update workflow that handles contributor comments to the latest version#13580
Update workflow that handles contributor comments to the latest version#13580
Conversation
github-actions
bot
added
SIZE: small
DEV: dev-ops
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| uses: learningequality/.github/.github/workflows/contributor-issue-comment.yml@main | ||
| secrets: | ||
| LE_BOT_APP_ID: ${{ secrets.LE_BOT_APP_ID }} | ||
| LE_BOT_PRIVATE_KEY: ${{ secrets.LE_BOT_PRIVATE_KEY }} | ||
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | ||
| SLACK_COMMUNITY_NOTIFICATIONS_WEBHOOK_URL: ${{ secrets.SLACK_COMMUNITY_NOTIFICATIONS_WEBHOOK_URL }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the problem, we should add a permissions: block that grants only the minimum privileges required for this workflow. Since the workflow responds to issue comments and may need to write to issues or pull requests (depending on what the reusable workflow does), a minimal but generally safe starting point is:
permissions:
contents: read
issues: writeIf you know for sure that only read access (or only certain write privileges) are required, further restrict as appropriate. This block should be added at the top level of the workflow file (after the name: and before on:), to apply to all jobs in the workflow. No further code or method changes are necessary.
| @@ -1,3 +1,6 @@ | ||
| permissions: | ||
| contents: read | ||
| issues: write | ||
| name: Handle contributor comment on GitHub issue | ||
|
|
||
| on: |
|
@rtibbles All secrets are already available in this repo, so no set up needed. |
Build Artifacts
|
3 participants
Summary
Companion to learningequality/.github#29 which was tested in
test-actionssuccessfully. Also renames the file to match exactly the new example calling script in.githubrepository.