Skip to content

Potential fix for code scanning alert no. 5: Workflow does not contain permissions #81

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
poopoothegorilla merged 1 commit into from
Jan 12, 2026
Merged

Potential fix for code scanning alert no. 5: Workflow does not contain permissions #81

poopoothegorilla merged 1 commit into from
Jan 12, 2026

Conversation

@poopoothegorilla
Copy link
Collaborator

@poopoothegorilla poopoothegorilla commented Jan 12, 2026

Potential fix for https://github.com/smartcontractkit/chainlink-framework/security/code-scanning/5

In general, to fix this issue you explicitly define the permissions for each workflow or job so the GITHUB_TOKEN has only the scopes required. For jobs that only run shell commands and check other jobs’ results, you can either set permissions: {} to remove all default scopes, or set a very limited permission such as contents: read if you want to be conservative and future‑proof minimal read operations.

For this specific workflow, the detect-modules and golangci-lint jobs already define explicit permissions. Only the golangci-lint-result job is missing them. The best fix without changing existing functionality is to add a permissions block to golangci-lint-result. Since that job merely evaluates needs.golangci-lint.result and exits with a status code, it does not actually need any GitHub API access; therefore, permissions: {} is sufficient and most restrictive. If you prefer to follow the pattern used elsewhere in the workflow, you can also use permissions: contents: read, but the most minimal and clearly safe is an empty permissions map.

Concretely, in .github/workflows/golangci_lint.yml, add a permissions key under the golangci-lint-result job (around line 50) with an empty mapping. No imports or additional methods are needed, as this is only a YAML configuration change.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@poopoothegorilla @github-advanced-security
Potential fix for code scanning alert no. 5: Workflow does not contai…
ea5f2e1 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@poopoothegorilla poopoothegorilla marked this pull request as ready for review January 12, 2026 18:03
@poopoothegorilla poopoothegorilla requested a review from a team as a code owner January 12, 2026 18:03
@poopoothegorilla poopoothegorilla enabled auto-merge (squash) January 12, 2026 18:03
@poopoothegorilla poopoothegorilla merged commit d78c798 into main Jan 12, 2026
22 checks passed
@poopoothegorilla poopoothegorilla deleted the alert-autofix-5 branch January 12, 2026 18:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@silaslenihan silaslenihan silaslenihan approved these changes

@amit-momin amit-momin amit-momin approved these changes

@fernandezlautaro fernandezlautaro Awaiting requested review from fernandezlautaro

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@poopoothegorilla @silaslenihan @amit-momin