Potential fix for code scanning alert no. 19: Workflow does not contain permissions

[DaTiC0]

Potential fix for https://github.com/DaTiC0/smart-google/security/code-scanning/19

In general, the fix is to explicitly define a permissions block for the workflow or the specific job, granting only the minimal scopes required. Since this job only checks out the repository and runs a script, it only needs read access to repository contents; no write permissions or other scopes (issues, pull-requests, actions, etc.) are necessary.

The best minimal fix here is to add a permissions block at the top (root) level of .github/workflows/path-safety.yml, alongside name and on. This will apply to all jobs in the workflow that do not override permissions individually. We'll set contents: read, which corresponds to a read-only token for repository contents and matches CodeQL’s suggested starting point. No changes to steps, actions versions, or scripts are needed, and no additional imports or external libraries are involved.

Concretely: in .github/workflows/path-safety.yml, after the name: Path safety line (line 1) and before the on: block (currently line 3), insert:

permissions:
  contents: read

This ensures the GITHUB_TOKEN used by actions/checkout is restricted to read-only contents access, preserving all existing behavior while satisfying least-privilege requirements.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Summary by Sourcery

Constrain workflow token permissions and modernize Python web dependency versions.

Build:

• Relax and update version constraints for Flask, SQLAlchemy, Werkzeug, Flask-SQLAlchemy, and Flask-Login in requirements.txt to support newer compatible releases.

CI:

• Add a minimal read-only contents permission block to the path-safety GitHub Actions workflow to satisfy least-privilege and code scanning requirements.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Defines minimal GitHub Actions permissions for the path-safety workflow to satisfy code scanning, and loosens/pins several Python dependency versions to more recent, compatible ranges.

Flow diagram for path-safety workflow trigger and job execution

flowchart LR
  PR_opened["Pull request opened or updated to main"] --> Trigger_workflow["Trigger path-safety workflow"]
  Trigger_workflow --> Apply_permissions["Apply workflow-level permissions (contents: read)"]
  Apply_permissions --> Start_job["Start path-safety job"]
  Start_job --> Checkout_repo["Use actions/checkout with GITHUB_TOKEN (read-only)"]
  Checkout_repo --> Run_script["Run path safety script on checked-out code"]
  Run_script --> Job_complete["Job completes (no repo write access)"]

Loading

File-Level Changes

Change	Details	Files
Constrain and modernize Flask-related Python dependencies with compatible version ranges instead of older strict pins.	Relax Flask from an exact 1.1.2 pin to a >=2.0.3,<3.0.0 range Update Flask-SQLAlchemy to >=3.0.0,<4.0.0 to match newer Flask and SQLAlchemy APIs Broaden SQLAlchemy to >=1.4.18,<3.0.0, replacing an exact 1.4.47 pin Adjust Werkzeug to >=2.3.7,<3.0.0 to stay compatible with newer Flask Update Flask-Login to >=0.6.0,<1.0.0 to align with the updated Flask ecosystem	requirements.txt
Restrict the GitHub Actions workflow token to read-only repository contents at the workflow level.	Add a workflow-level permissions block specifying contents: read just after the workflow name Rely on inherited permissions for all jobs so they use a least-privilege GITHUB_TOKEN while keeping behavior unchanged	.github/workflows/path-safety.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[DaTiC0]

fix this @copilot
1s
Run pytest
pytest
shell: /usr/bin/bash -e {0}
env:
pythonLocation: /opt/hostedtoolcache/Python/3.12.13/x64
PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.12.13/x64/lib/pkgconfig
Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.12.13/x64/lib
============================= test session starts ==============================
platform linux -- Python 3.12.13, pytest-9.0.2, pluggy-1.6.0
rootdir: /home/runner/work/smart-google/smart-google
collected 0 items / 1 error

==================================== ERRORS ====================================
______________________ ERROR collecting tests/test_app.py ______________________
ImportError while importing test module '/home/runner/work/smart-google/smart-google/tests/test_app.py'.
Hint: make sure your test modules/packages have valid Python names.
Traceback:
/opt/hostedtoolcache/Python/3.12.13/x64/lib/python3.12/importlib/init.py:90: in import_module
return _bootstrap._gcd_import(name[level:], package, level)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
tests/test_app.py:13: in
from app import app as flask_app # noqa: E402
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
app.py:7: in
from flask import Flask, send_from_directory
/opt/hostedtoolcache/Python/3.12.13/x64/lib/python3.12/site-packages/flask/init.py:14: in
from jinja2 import escape
E ImportError: cannot import name 'escape' from 'jinja2' (/opt/hostedtoolcache/Python/3.12.13/x64/lib/python3.12/site-packages/jinja2/init.py)
=========================== short test summary info ============================
ERROR tests/test_app.py
!!!!!!!!!!!!!!!!!!!! Interrupted: 1 error during collection !!!!!!!!!!!!!!!!!!!!
=============================== 1 error in 0.16s ===============================
Error: Process completed with exit code 2.

[Copilot]

@DaTiC0 I've opened a new pull request, #111, to work on those changes. Once the pull request is ready, I'll request review from you.

[sourcery-ai]

Hey - I've left some high level feedback:

• The requirements change introduces multiple major-version upgrades (e.g., Flask-SQLAlchemy 2.x → 3.x, Werkzeug 2.0.x → 2.3.x) that are potentially breaking; verify that the application does not rely on deprecated patterns (like app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] defaults, db.session usage, or old request/response APIs) that changed in these versions.
• This PR is described as a fix for the workflow permissions alert but also modifies runtime dependencies in requirements.txt; consider splitting the dependency upgrades into a separate PR so they can be reviewed and validated independently from the CI configuration change.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The requirements change introduces multiple major-version upgrades (e.g., Flask-SQLAlchemy 2.x → 3.x, Werkzeug 2.0.x → 2.3.x) that are potentially breaking; verify that the application does not rely on deprecated patterns (like `app.config['SQLALCHEMY_TRACK_MODIFICATIONS']` defaults, `db.session` usage, or old request/response APIs) that changed in these versions.
- This PR is described as a fix for the workflow permissions alert but also modifies runtime dependencies in `requirements.txt`; consider splitting the dependency upgrades into a separate PR so they can be reviewed and validated independently from the CI configuration change.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}