Skip to content

chore: add explicit permission on release workflow #4999

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 15, 2025
Merged

chore: add explicit permission on release workflow #4999

merged 3 commits into from
Sep 15, 2025

Conversation

@remyleone
Copy link
Member

@remyleone remyleone commented Sep 12, 2025

Potential fix for https://github.com/scaleway/scaleway-cli/security/code-scanning/51

The best way to fix this problem is to add an explicit permissions block to the workflow. Ideally, you should set this block at the top (workflow) level so that it applies to all jobs, unless a particular job requires more specific permissions—in which case, override at the job level. As a minimal and safe default, use contents: read. If a job (such as goreleaser, which may need to create GitHub Releases or upload assets) requires additional permissions (such as contents: write or packages: write), configure these specifically for that job. Since the wasm job seems only to publish to npm and not interact with the GitHub API, it can probably use only contents: read, but goreleaser may require more.

For the minimal fix, add permissions: contents: read at the root workflow level. For greater robustness, consider specifying job-level permissions: goreleaser with contents: write, wasm with contents: read.

Files/regions to change:

  • Add a permissions: block after the name: at the top of .github/workflows/release.yml.
  • Optionally, add a more permissive permissions: block under the goreleaser: job if it requires it, otherwise rely on the root-level block.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

remyleone and others added 2 commits September 12, 2025 17:46
@remyleone @github-advanced-security
chore: add explicit permission on release workflow
59a458e 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@remyleone
Change permissions from read to write for contents
5806655
@remyleone remyleone changed the title Potential fix for code scanning alert no. 51: Workflow does not contain permissions chore: add explicit permission on release workflow Sep 12, 2025
@remyleone remyleone marked this pull request as ready for review September 12, 2025 15:49
@remyleone remyleone enabled auto-merge September 15, 2025 12:56
@remyleone remyleone added this pull request to the merge queue Sep 15, 2025
Merged via the queue into master with commit 08256c7 Sep 15, 2025
17 checks passed
@remyleone remyleone deleted the alert-autofix-51 branch September 15, 2025 13:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jremy42 jremy42 jremy42 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@remyleone @jremy42