Skip to content

Potential fix for code scanning alert no. 31: Workflow does not contain permissions#2786

Open
aramprice wants to merge 1 commit into
mainfrom
alert-autofix-31
Open

Potential fix for code scanning alert no. 31: Workflow does not contain permissions#2786
aramprice wants to merge 1 commit into
mainfrom
alert-autofix-31

Conversation

@aramprice

Copy link
Copy Markdown
Member

Potential fix for https://github.com/cloudfoundry/bosh/security/code-scanning/31

Add an explicit permissions block at the workflow root so it applies to both jobs consistently. The minimal least-privilege setting needed here is:

  • contents: read

This preserves functionality (actions/checkout can still read repository contents) while preventing unintended write-capable token scopes.

Edit .github/workflows/ruby.yml near the top, directly after on: (or before jobs:), and add:

permissions:
  contents: read

No new imports, methods, or dependencies are needed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…in permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@linux-foundation-easycla

linux-foundation-easycla Bot commented Jul 16, 2026

Copy link
Copy Markdown

CLA Signed
The committers listed above are authorized under a signed CLA.

  • ✅ login: aramprice / name: aram price (11ef6aa)

@aramprice

Copy link
Copy Markdown
Member Author

/easycla

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@aramprice

Copy link
Copy Markdown
Member Author

/easycla

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Development

Successfully merging this pull request may close these issues.

2 participants