Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Build FormKiQ API JWT | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| java: [ 17, 21 ] | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Set up JDK | ||
| uses: actions/setup-java@v4 | ||
| with: | ||
| java-version: ${{ matrix.java }} | ||
| distribution: 'temurin' | ||
| cache: maven | ||
| - name: Build with Maven | ||
| run: mvn -B package --no-transfer-progress --file pom.xml |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 14 days ago
Generally, the fix is to explicitly define a permissions block in the workflow, granting only the minimal scopes required. For a build-only Maven workflow that simply checks out code and compiles/tests it, contents: read is usually sufficient, and it can be set at the workflow root so it applies to all jobs.
The best targeted fix here is to add a workflow-level permissions section directly under the name: Java CI with Maven line (around line 6), with contents: read. This documents that the workflow only needs read access to repository contents and ensures that even if repository defaults are read-write, this workflow will not receive write permissions. No other functionality or steps need changing, and no imports or additional methods are required.
Concretely: edit .github/workflows/maven.yml to insert:
permissions:
contents: readbetween the existing name: and on: keys. No other files need modification.
| @@ -4,6 +4,8 @@ | ||
| # This file is auto-generated by OpenAPI Generator (https://openapi-generator.tech) | ||
|
|
||
| name: Java CI with Maven | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
2 participants
No description provided.