-
Notifications
You must be signed in to change notification settings - Fork 22
Migrate to reusable workflows #93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| name: CodeQL | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| push: | ||
| branches: | ||
| - main | ||
| - master | ||
| - develop | ||
| pull_request: | ||
|
|
||
| jobs: | ||
| analyse: | ||
| name: Call Ledger CodeQL analysis | ||
| uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_codeql_checks.yml@v1 | ||
| secrets: inherit | ||
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,16 @@ | ||||||||||||||||||||||||||
| name: Unit Tests | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| on: | ||||||||||||||||||||||||||
| workflow_dispatch: | ||||||||||||||||||||||||||
| push: | ||||||||||||||||||||||||||
| branches: | ||||||||||||||||||||||||||
| - main | ||||||||||||||||||||||||||
| - master | ||||||||||||||||||||||||||
| - develop | ||||||||||||||||||||||||||
| pull_request: | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| jobs: | ||||||||||||||||||||||||||
| unit_tests: | ||||||||||||||||||||||||||
| name: Unit Tests | ||||||||||||||||||||||||||
| uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_unit_tests.yml@v1 | ||||||||||||||||||||||||||
| secrets: inherit | ||||||||||||||||||||||||||
|
Comment on lines
+14
to
+16
Check warningCode scanning / CodeQL Workflow does not contain permissions Medium
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
Copilot AutofixAI about 1 month ago In general, the fix is to add an explicit Concretely, in permissions:
contents: readThis limits the
Suggested changeset
1
.github/workflows/unit-tests.yml
Copilot is powered by AI and may make mistakes. Always verify output.
Refresh and try again.
|
||||||||||||||||||||||||||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Copilot Autofix
AI about 1 month ago
In general, the fix is to explicitly declare
permissionsfor the GITHUB_TOKEN either at the workflow root (applies to all jobs) or at the job level (applies only to that job), and to restrict them to the minimal access needed. For a typical CodeQL analysis workflow that only needs to read the repository contents and security events, GitHub’s own starter workflows use read-only or narrowly scoped permissions such asactions: read,contents: read, andsecurity-events: write.The single best way to fix this without changing existing functionality is to add a
permissionsblock under theanalysejob. This keeps the change local to the job highlighted by CodeQL and avoids affecting any other jobs that might later be added to the workflow. A safe, least‑privilege set matching GitHub’s recommended CodeQL configuration is:These lines should be indented to align with the other keys under
analyse(e.g.,name,uses,secrets) in.github/workflows/codeql.yml. No additional methods, imports, or definitions are needed because this is pure workflow configuration.