Skip to content

Potential fix for code scanning alert no. 1: Workflow does not contain permissions #91

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
thpierce merged 1 commit into from
Oct 14, 2025
Merged

Potential fix for code scanning alert no. 1: Workflow does not contain permissions #91

thpierce merged 1 commit into from
Oct 14, 2025

Conversation

@thpierce
Copy link
Contributor

@thpierce thpierce commented Oct 14, 2025

Potential fix for https://github.com/aws-observability/aws-otel-dotnet/security/code-scanning/1

To fix the problem, add an explicit permissions block to the workflow or the affected job to restrict the GITHUB_TOKEN's permissions to only what is required. As only issue and PR labeling, marking, and closing functionality are needed for the actions/stale@v6 step, specifying contents: read, issues: write, and pull-requests: write is recommended. This block can be placed at the workflow root (affecting all jobs) or for the specific job ("stale-close"). Since this workflow only has one job, either location is equivalent, but best practice is to set it at the job level for clarity.

Add the following block under jobs.stale-close: (after line 21 and before runs-on:):

permissions:
  contents: read
  issues: write
  pull-requests: write

No imports or other code definitions are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@thpierce @github-advanced-security
Potential fix for code scanning alert no. 1: Workflow does not contai…
194fa5e 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@thpierce thpierce marked this pull request as ready for review October 14, 2025 16:26
ezhang6811
ezhang6811 approved these changes Oct 14, 2025
View reviewed changes
Copy link

@ezhang6811 ezhang6811 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR seems like the best application of least permissions principle.
aws-observability/aws-otel-python#99 has contents: write which shouldn't be necessary
https://github.com/aws-observability/aws-otel-ruby/pull/159/files places this at the workflow level instead of job level.

recommend having both those PRs match this one, though not blocking.

@thpierce
Copy link
Contributor Author

thpierce commented Oct 14, 2025

aws-observability/aws-otel-python#99 has contents: write which shouldn't be necessary
I think you ment ruby - I'm going to skip as I don't think it's critical.

https://github.com/aws-observability/aws-otel-ruby/pull/159/files places this at the workflow level instead of job level.
I think you ment python - Fixed

Integration Test / Integration Test (push) seems unhealthy, but not related to this PR so will bypass.

@thpierce thpierce merged commit e07e705 into main Oct 14, 2025
3 of 4 checks passed
@thpierce thpierce deleted the alert-autofix-1 branch October 14, 2025 20:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ezhang6811 ezhang6811 ezhang6811 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thpierce @ezhang6811