Engg. hygiene: Explicit Codecov workflow permissions#327
Merged
kjohn-msft merged 1 commit intomasterfrom Jul 1, 2025
Merged
Conversation
Remediating automated code scanning alert. Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #327 +/- ##
=======================================
Coverage 93.77% 93.77%
=======================================
Files 103 103
Lines 17924 17924
=======================================
Hits 16809 16809
Misses 1115 1115
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
kjohn-msft
changed the title
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR adds explicit workflow permissions to address a security code scanning issue by restricting the default permissions of the Codecov workflow.
- Added a "permissions" block with read access to repository contents.
- Updates the overall security posture of the CI workflow.
Comments suppressed due to low confidence (1)
.github/workflows/ci.yml:2
- Consider whether the workflow should also include write access for pull requests, as mentioned in the PR description, or add a clarifying comment explaining why only 'contents: read' is sufficient.
permissions:
rane-rajasi
approved these changes
Jun 30, 2025
michellemcdaniel
approved these changes
Jul 1, 2025
Merged
rane-rajasi
added a commit
that referenced
this pull request
Oct 2, 2025
Release includes: - [AzL3Tdnf] Refactoring TDNF Package Manager separating Azure Linux specializations in it's own implementation [331](#331) - [AzL3Tdnf] Renaming TdnfPackageManager to AzL3PackageManager [332](#332) - Feature: Azure Linux 3.0: Enhanced Support [318](#318) - Engg. hygiene: Explicit Codecov workflow permissions [327](#327)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Potential fix for https://github.com/Azure/LinuxPatchExtension/security/code-scanning/1
To fix the issue, we will add a
permissionsblock at the root of the workflow file. This block will define the minimal permissions required for the workflow to function correctly. Based on the workflow's actions, it primarily needs read access to repository contents and write access to pull requests (if applicable). For uploading coverage reports, no additional permissions are required as thecodecov-actionuses theCODECOV_TOKENsecret.The
permissionsblock will be added at the root level to apply to all jobs in the workflow. If any job requires different permissions, we can override them within the specific job.Suggested fixes powered by Copilot Autofix. Review carefully before merging.