Potential fix for code scanning alert no. 12: Workflow does not contain permissions

[aldy505]

Note

This was me playing around with GH Copilot Security. Feel free to merge if you think this helpful. Otherwise, please just close it.

Potential fix for https://github.com/getsentry/self-hosted/security/code-scanning/12

To fix this issue, add a permissions: block at the top level of the workflow file, directly under the name: line and before the on: block. This block should specify the minimal permissions required for the jobs in this workflow. Since the jobs only perform test-related tasks and do not push code or manage issues, setting contents: read is the safest and most appropriate minimal permission set. No changes to existing functionality are necessary, as the jobs should not require write permissions.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.45%. Comparing base (a2447aa) to head (28232b0).
⚠️ Report is 4 commits behind head on master.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #3822   +/-   ##
=======================================
  Coverage   99.45%   99.45%           
=======================================
  Files           3        3           
  Lines         183      183           
=======================================
  Hits          182      182           
  Misses          1        1           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[BYK]

ok

[aldy505]

LOL. Very low quality PR.

[aminvakil]

What about changing the default in workflow permissions?

https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/

It should be changed for release.yml and other actions which does need write permission.

I guess this is a better approach (setting it to read by default)

[aldy505]

@mdtro @oioki Heya, what do you folks think about what @aminvakil said above? This is a very low hanging fruit, but raises 8 security issues here: https://github.com/getsentry/self-hosted/security/code-scanning

[mdtro]

@aldy505 - Setting the permissions explicitly would still be considered best practice and something we recommend even if the token is default set to read-only. Too many footguns with implicit behavior. :)

[aminvakil]

@aldy505 - Setting the permissions explicitly would still be considered best practice and something we recommend even if the token is default set to read-only. Too many footguns with implicit behavior. :)

Agree!

Let's do this and change default permission later (or not).

[aldy505]

I'm really hesitant to merge this since I consider this as a very low quality PR, but I got 3 approvals, so.... 🤣