Skip to content

Update 8hobbies/workflows digest to 067ef9a #302

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
renovate merged 1 commit into from
Feb 15, 2026
Merged

Update 8hobbies/workflows digest to 067ef9a #302

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,4 @@

jobs:
lint:
uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@593ea3eb002451d046b787891d190896b45068e3
uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@067ef9a5f26017da21acc0f647d0f505951dcdf5

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 2 days ago

In general, to fix this type of issue you add an explicit permissions block either at the top level of the workflow (applies to all jobs) or under the specific job. For a lint workflow that should not modify repository contents, a minimal contents: read is typically sufficient. This constrains the GITHUB_TOKEN to read-only access to the repo contents unless more is needed.

For this specific file, the simplest, non‑disruptive fix is to add a workflow‑wide permissions block right after the on: section and before jobs:. That keeps the reusable workflow call intact while ensuring any job that doesn’t override permissions (including this lint job) runs with only read access to repository contents. Unless the reusable workflow’s implementation requires broader permissions (which we’re not told and must not assume), contents: read is the safest choice aligned with least privilege.

Concretely:

  • Edit .github/workflows/lint.yml.

  • After line 21 (the last line of the on: section), insert:

    permissions:
  contents: read

No imports or additional methods are required, as this is pure YAML configuration.

Suggested changeset 1
.github/workflows/lint.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -20,6 +20,9 @@
   pull_request:
     branches: ["master"]
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@067ef9a5f26017da21acc0f647d0f505951dcdf5
EOF
@@ -20,6 +20,9 @@
pull_request:
branches: ["master"]

permissions:
contents: read

jobs:
lint:
uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@067ef9a5f26017da21acc0f647d0f505951dcdf5
Copilot is powered by AI and may make mistakes. Always verify output.
2 changes: 1 addition & 1 deletion .github/workflows/pages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,4 +25,4 @@ jobs:
permissions:
pages: write
id-token: write
uses: 8hobbies/workflows/.github/workflows/npm-doc-pages.yml@593ea3eb002451d046b787891d190896b45068e3
uses: 8hobbies/workflows/.github/workflows/npm-doc-pages.yml@067ef9a5f26017da21acc0f647d0f505951dcdf5
2 changes: 1 addition & 1 deletion .github/workflows/publish-dry-run.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,4 @@

jobs:
run:
uses: 8hobbies/workflows/.github/workflows/npm-publish-dry-run.yml@593ea3eb002451d046b787891d190896b45068e3
uses: 8hobbies/workflows/.github/workflows/npm-publish-dry-run.yml@067ef9a5f26017da21acc0f647d0f505951dcdf5

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 2 days ago

To fix the problem, explicitly declare a permissions block so that the GITHUB_TOKEN is not implicitly given broad default scopes. Since this workflow’s single job only calls a reusable workflow and does not itself perform any repository‑modifying actions, a safe minimal starting point is to set top‑level permissions to read‑only for contents (and other scopes can be added later if required after testing).

The best way to do this without changing functionality is to add a top‑level permissions block (sibling of on: and jobs:) setting contents: read. This will apply to all jobs that don’t specify their own permissions, including the run job that calls the reusable workflow. If the reusable workflow requires more than read access, it should either (a) declare its own narrower permissions in that repository, or (b) you can later extend this block with the specific write scopes it needs. Concretely, in .github/workflows/publish-dry-run.yml, insert:

permissions:
  contents: read

between the on: block and the jobs: block. No imports or additional definitions are needed.

Suggested changeset 1
.github/workflows/publish-dry-run.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/publish-dry-run.yml b/.github/workflows/publish-dry-run.yml
--- a/.github/workflows/publish-dry-run.yml
+++ b/.github/workflows/publish-dry-run.yml
@@ -20,6 +20,9 @@
   pull_request:
     branches: ["master"]
 
+permissions:
+  contents: read
+
 jobs:
   run:
     uses: 8hobbies/workflows/.github/workflows/npm-publish-dry-run.yml@067ef9a5f26017da21acc0f647d0f505951dcdf5
EOF
@@ -20,6 +20,9 @@
pull_request:
branches: ["master"]

permissions:
contents: read

jobs:
run:
uses: 8hobbies/workflows/.github/workflows/npm-publish-dry-run.yml@067ef9a5f26017da21acc0f647d0f505951dcdf5
Copilot is powered by AI and may make mistakes. Always verify output.
2 changes: 1 addition & 1 deletion .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,6 @@
tags: ["v*"]
jobs:
build:
uses: 8hobbies/workflows/.github/workflows/npm-publish.yml@593ea3eb002451d046b787891d190896b45068e3
uses: 8hobbies/workflows/.github/workflows/npm-publish.yml@067ef9a5f26017da21acc0f647d0f505951dcdf5
secrets:
npm-auth-token: ${{ secrets.NPM_TOKEN }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
2 changes: 1 addition & 1 deletion .github/workflows/runtime.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,4 @@

jobs:
test:
uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@593ea3eb002451d046b787891d190896b45068e3
uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@067ef9a5f26017da21acc0f647d0f505951dcdf5

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 2 days ago

In general, the fix is to explicitly restrict the GITHUB_TOKEN permissions in the workflow to the minimum necessary, rather than relying on repository defaults. This is done by adding a permissions: block either at the top level of the workflow (applies to all jobs that don’t override it) or under the specific job.

For this workflow, the least invasive and clearest fix is to add a top-level permissions: block after the on: section, before jobs:. Since the workflow appears to just invoke a reusable workflow for runtime tests and does not itself need write access, we can safely set contents: read as a minimal, conservative default. If the reusable workflow requires additional scopes, they can still be requested there; setting read-only here will not unintentionally grant extra privileges. Concretely, in .github/workflows/runtime.yml, insert:

permissions:
  contents: read

between the on: block (lines 17–21) and the jobs: block (line 23). No imports or additional methods are needed; this is purely a YAML configuration change.

Suggested changeset 1
.github/workflows/runtime.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/runtime.yml b/.github/workflows/runtime.yml
--- a/.github/workflows/runtime.yml
+++ b/.github/workflows/runtime.yml
@@ -20,6 +20,9 @@
   pull_request:
     branches: ["master"]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@067ef9a5f26017da21acc0f647d0f505951dcdf5
EOF
@@ -20,6 +20,9 @@
pull_request:
branches: ["master"]

permissions:
contents: read

jobs:
test:
uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@067ef9a5f26017da21acc0f647d0f505951dcdf5
Copilot is powered by AI and may make mistakes. Always verify output.