ci: synced file(s) with honestbank/.github #49
Conversation
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
6a5c6fa to
074652b
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
074652b to
3a79da3
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
3a79da3 to
1147915
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
1147915 to
8c282d6
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
8c282d6 to
aea6b72
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
aea6b72 to
77057e9
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
77057e9 to
0d97ee2
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
0d97ee2 to
e282abb
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
e282abb to
9d285b7
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
9d285b7 to
ec39895
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
ec39895 to
9b998d1
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
9b998d1 to
b9d5d69
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
b9d5d69 to
bc09f69
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "terraform" | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| submodules: "recursive" | ||
| - name: Set up Terraform | ||
| uses: hashicorp/setup-terraform@v3 | ||
| with: | ||
| cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} | ||
| - name: Terraform Format | ||
| id: fmt | ||
| run: terraform fmt | ||
| continue-on-error: true | ||
| - name: Terraform Init | ||
| id: init | ||
| run: terraform init | ||
| - name: Terraform Validate | ||
| id: validate | ||
| run: terraform validate -no-color | ||
| - name: Terraform Plan | ||
| id: plan | ||
| run: terraform plan -no-color | ||
| continue-on-error: true |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
The best way to fix this issue is to add a permissions block to either the root of the workflow (applies to all jobs) or specifically to the affected job (terraform) if only one job exists. Given only one job (terraform) and to be maximally clear, add the block within the job's definition. The minimal permissions required are usually contents: read, since the workflow only needs to read code from the repository, not write. This is inserted directly after the job name (after line 9) and before runs-on.
No imports or custom methods are needed; this is a YAML configuration change.
| @@ -7,6 +7,8 @@ | ||
| jobs: | ||
| terraform: | ||
| name: "terraform" | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout |
| name: terratest | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| submodules: true | ||
| - name: Set up Go | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| go-version: 1.20 | ||
| id: go | ||
| - name: Run 'go test -v -timeout 60m' | ||
| run: | | ||
| cd test | ||
| go mod download | ||
| go test -v -timeout 30m |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To address this issue, explicitly set the permissions: block for the job (terratest), or at the workflow root to apply to all jobs. Since there is no indication that this workflow requires write access to repository contents, permissions: contents: read is the recommended minimal starting point. Place the block under the terratest job on line 15 (before runs-on:), as per the highlighted error location. This change will limit the GITHUB_TOKEN permissions accessible to this job to repository contents in read-only mode, adhering to the principle of least privilege and best practices for GitHub Actions workflows.
| @@ -12,6 +12,8 @@ | ||
| jobs: | ||
| terratest: | ||
| name: terratest | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout |
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
8b469d0 to
7af471a
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
7af471a to
08f9741
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
08f9741 to
36eebeb
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
36eebeb to
1de9b91
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
1de9b91 to
8ee500f
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
8ee500f to
605cbf1
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
605cbf1 to
ca776d3
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
ca776d3 to
a64fa26
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
a64fa26 to
214b8ae
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
214b8ae to
3040430
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
3040430 to
a626277
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
a626277 to
38252ff
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
38252ff to
2c0338b
Compare
Terraform Format and Style 🖌
|
honestbank-bot
force-pushed
the
sync_workflow_files/default
branch
from
2c0338b to
3eaa69c
Compare
Terraform Format and Style 🖌
|
synced local file(s) with honestbank/.github.
This PR was created automatically by the repo-file-sync-action workflow run #18672768423