Conversation
| name: Regression | ||
| needs: [build] | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 15 | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
| with: | ||
| fetch-depth: 50 | ||
| - uses: actions/setup-node@v3 | ||
| with: | ||
| node-version: 14 | ||
| - uses: actions/cache@v3 | ||
| with: | ||
| path: | | ||
| node_modules | ||
| packages/*/node_modules | ||
| packages/core/.local-chromium | ||
| key: > | ||
| ${{ runner.os }}/node-14/ | ||
| ${{ hashFiles('.github/.cache-key') }}/ | ||
| ${{ hashFiles('**/yarn.lock') }} | ||
| restore-keys: > | ||
| ${{ runner.os }}/node-14/ | ||
| ${{ hashFiles('.github/.cache-key') }}/ | ||
| - uses: actions/download-artifact@v5 | ||
| with: | ||
| name: dist | ||
| path: packages | ||
| - run: yarn | ||
| - name: Install browser dependencies | ||
| run: | | ||
| sudo apt-get update | ||
| sudo apt-get install -y --fix-missing libgbm-dev | ||
| - name: Set up @percy/cli | ||
| run: | | ||
| PERCY_PACKAGES=$(find packages -mindepth 1 -maxdepth 1 -type d | sed -e 's/packages/@percy/g' | tr '\n' ' ') | ||
| yarn global:link | ||
| yarn link `echo $PERCY_PACKAGES` | ||
| npx percy --version | ||
| - name: Run regression tests | ||
| run: yarn test:regression | ||
| env: | ||
| PERCY_TOKEN: ${{ secrets.PERCY_REGRESSION_TOKEN }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 17 days ago
To fix the problem, explicitly declare least‑privilege GITHUB_TOKEN permissions in the workflow. Since none of the jobs appear to perform repository write operations (no git push, no changes to PRs, etc.), they only need read access to repository contents. The simplest and safest solution is to add a root‑level permissions: block with contents: read, which will apply to all jobs that do not override it.
Concretely, in .github/workflows/test.yml, add a new permissions: section between the on: block and the jobs: block. For example, insert:
permissions:
contents: readafter line 6 (the last line of the on: triggers). This preserves existing behavior (all actions continue to work, since they only need to read code and metadata) while ensuring the GITHUB_TOKEN cannot write to repository contents. No imports, methods, or other definitions are needed, since this is a YAML configuration change only.
| @@ -4,6 +4,8 @@ | ||
| branches: [master] | ||
| pull_request: | ||
| workflow_dispatch: | ||
| permissions: | ||
| contents: read | ||
| jobs: | ||
| build: | ||
| name: Build |
* docs: Remove note about issue_comment trigger dependency on default branch * refactor: simplify regression workflow by removing issue_comment triggers and related steps * feat: add regression workflow to test.yml with updated steps and dependencies
Per fixing regression