Skip to content

fix: Potential fix for code scanning alert no. 6: Workflow does not contain permissions#174

Merged
teolemon merged 1 commit intomainfrom
alert-autofix-6
Nov 6, 2025
Merged

fix: Potential fix for code scanning alert no. 6: Workflow does not contain permissions#174
teolemon merged 1 commit intomainfrom
alert-autofix-6

Conversation

@teolemon
Copy link
Copy Markdown
Member

@teolemon teolemon commented Aug 20, 2025

Potential fix for https://github.com/openfoodfacts/nutripatrol-frontend/security/code-scanning/6

To fix the problem, add a permissions block to the workflow to explicitly set the minimal required permissions for the job. Since the workflow is triggered on pull_request_target and uses the amannn/action-semantic-pull-request action, the minimal permissions required are typically contents: read (to read the PR) and pull-requests: write (to update PR status checks). The permissions block can be added at the workflow root (applies to all jobs) or at the job level (applies only to the specific job). The best practice is to add it at the workflow root unless different jobs require different permissions. In this case, adding it at the root is sufficient and clear.

What to change:

  • In .github/workflows/semantic-pr.yml, add the following block after the name field and before the on field: 
    permissions:
  contents: read
  pull-requests: write
  • No additional imports or definitions are needed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@teolemon @github-advanced-security
Potential fix for code scanning alert no. 6: Workflow does not contai…
c0449c5 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@teolemon teolemon changed the title Potential fix for code scanning alert no. 6: Workflow does not contain permissions fix: Potential fix for code scanning alert no. 6: Workflow does not contain permissions Aug 20, 2025
@teolemon teolemon marked this pull request as ready for review November 6, 2025 17:31
@teolemon teolemon merged commit 993b38c into main Nov 6, 2025
9 of 10 checks passed
@teolemon teolemon deleted the alert-autofix-6 branch November 6, 2025 17:31
@github-project-automation github-project-automation Bot moved this from Backlog to Done in 🛡️ Nutri-Patrol Nov 6, 2025
@openfoodfacts-bot openfoodfacts-bot mentioned this pull request Nov 6, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@teolemon teolemon

Labels

GitHub Actions

Projects

🛡️ Nutri-Patrol
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@teolemon