Skip to content

Update 8hobbies/workflows digest to ad34dcf #315

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
renovate merged 1 commit into from
Mar 29, 2026
Merged

Update 8hobbies/workflows digest to ad34dcf #315

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,4 @@

jobs:
lint:
uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@d1e85a08791c06db486a7943658d5090c27339db
uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@ad34dcf4277cc2e1f3ee68482120e6cfe9033655

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 4 days ago

To fix the problem, explicitly declare a permissions block that grants only the minimal rights needed by this lint workflow. Since a lint job typically needs only to read the repository contents (and possibly packages), a conservative default is contents: read. This should be set at the root level of the workflow so it applies to all jobs, including the reusable one, unless that reusable workflow overrides it.

Concretely, in .github/workflows/lint.yml, add a permissions: mapping just below the name: Lint line and before the on: block. Use:

permissions:
  contents: read

This keeps existing functionality unchanged (linting still has read access to the repo) while ensuring the GITHUB_TOKEN is not granted unnecessary write permissions. No imports or additional methods are needed, only this YAML configuration change.

Suggested changeset 1
.github/workflows/lint.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -14,6 +14,9 @@
 
 name: Lint
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: ["master"]
EOF
@@ -14,6 +14,9 @@

name: Lint

permissions:
contents: read

on:
push:
branches: ["master"]
Copilot is powered by AI and may make mistakes. Always verify output.
2 changes: 1 addition & 1 deletion .github/workflows/pages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,4 +25,4 @@ jobs:
permissions:
pages: write
id-token: write
uses: 8hobbies/workflows/.github/workflows/npm-doc-pages.yml@d1e85a08791c06db486a7943658d5090c27339db
uses: 8hobbies/workflows/.github/workflows/npm-doc-pages.yml@ad34dcf4277cc2e1f3ee68482120e6cfe9033655
2 changes: 1 addition & 1 deletion .github/workflows/publish-dry-run.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,4 @@

jobs:
run:
uses: 8hobbies/workflows/.github/workflows/npm-publish-dry-run.yml@d1e85a08791c06db486a7943658d5090c27339db
uses: 8hobbies/workflows/.github/workflows/npm-publish-dry-run.yml@ad34dcf4277cc2e1f3ee68482120e6cfe9033655

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 4 days ago

In general, the fix is to add an explicit permissions: block that grants only the minimal required scopes to GITHUB_TOKEN. Declaring this at the top (workflow) level will apply to all jobs that don’t define their own permissions; declaring it inside a specific job will apply just to that job. Since this workflow only contains a single job run that reuses another workflow, the safest and clearest approach is to add a workflow-level permissions: block restricting permissions to read-only (contents: read), which aligns with the recommended minimal baseline when the workflow is not expected to modify repository state directly.

Concretely, in .github/workflows/publish-dry-run.yml, insert a permissions: section between the name: and on: keys (around line 17). Use:

permissions:
  contents: read

This documents that the workflow only needs read access to repository contents and prevents inadvertent elevation if repository/org defaults are broader. No imports, methods, or other definitions are needed; this is purely a YAML configuration change.

Suggested changeset 1
.github/workflows/publish-dry-run.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/publish-dry-run.yml b/.github/workflows/publish-dry-run.yml
--- a/.github/workflows/publish-dry-run.yml
+++ b/.github/workflows/publish-dry-run.yml
@@ -14,6 +14,9 @@
 
 name: Publish Dry Run
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: ["master"]
EOF
@@ -14,6 +14,9 @@

name: Publish Dry Run

permissions:
contents: read

on:
push:
branches: ["master"]
Copilot is powered by AI and may make mistakes. Always verify output.
2 changes: 1 addition & 1 deletion .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,6 @@
tags: ["v*"]
jobs:
build:
uses: 8hobbies/workflows/.github/workflows/npm-publish.yml@d1e85a08791c06db486a7943658d5090c27339db
uses: 8hobbies/workflows/.github/workflows/npm-publish.yml@ad34dcf4277cc2e1f3ee68482120e6cfe9033655
secrets:
npm-auth-token: ${{ secrets.NPM_TOKEN }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
2 changes: 1 addition & 1 deletion .github/workflows/runtime.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,4 @@

jobs:
test:
uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@d1e85a08791c06db486a7943658d5090c27339db
uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@ad34dcf4277cc2e1f3ee68482120e6cfe9033655

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 4 days ago

In general, the fix is to define an explicit permissions: block that limits the default GITHUB_TOKEN scope, either at the workflow root (applies to all jobs) or under the specific job. Because this workflow only has the single test job that delegates to a reusable workflow, the minimal and safest change is to add a root-level permissions: block with read-only defaults.

The best concrete fix without changing functionality is:

  • Add a permissions: section between name: Runtime and on: (root-level).
  • Set conservative defaults such as contents: read and packages: read, which match GitHub’s recommended minimal read-only permissions and should be sufficient for typical runtime/test workflows that only need to fetch code and packages.
  • Leave the existing jobs.test.uses line unchanged so the workflow behavior is preserved; we are only constraining the GITHUB_TOKEN.

No additional imports, methods, or definitions are needed since this is a YAML workflow file.

Suggested changeset 1
.github/workflows/runtime.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/runtime.yml b/.github/workflows/runtime.yml
--- a/.github/workflows/runtime.yml
+++ b/.github/workflows/runtime.yml
@@ -14,6 +14,10 @@
 
 name: Runtime
 
+permissions:
+  contents: read
+  packages: read
+
 on:
   push:
     branches: ["master"]
EOF
@@ -14,6 +14,10 @@

name: Runtime

permissions:
contents: read
packages: read

on:
push:
branches: ["master"]
Copilot is powered by AI and may make mistakes. Always verify output.
Loading