Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions .github/workflows/pr-check.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
name: PR Checks

on:
pull_request:
types: [opened, edited, reopened, synchronize]

jobs:
deploy:
name: PR Jira validation check
runs-on: [ubuntu-latest]
steps:
- name: PR Jira validation check
uses: triplelift-internal/actions/pr-check@v1.0

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'PR Checks' step
Uses Step
uses 'triplelift-internal/actions/pr-check' with ref 'v1.0', not a pinned commit hash
with:
github_token: '${{ secrets.GH_ORG_TOKEN }}'
jira_user: '${{ secrets.JIRA_USER }}'
jira_token: '${{ secrets.JIRA_TOKEN }}'
Comment on lines +9 to +17

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 12 months ago

To fix this issue, we will add a permissions key to the workflow. Since the workflow is performing a pull request validation check, it likely requires read-only access to repository contents and write access to pull requests. We will restrict permissions explicitly to contents: read and pull-requests: write.

The permissions block will be added at the root of the workflow (applies to all jobs unless overridden) for simplicity and to ensure least privilege.


Suggested changeset 1
.github/workflows/pr-check.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pr-check.yaml b/.github/workflows/pr-check.yaml
--- a/.github/workflows/pr-check.yaml
+++ b/.github/workflows/pr-check.yaml
@@ -1,3 +1,6 @@
+permissions:
+  contents: read
+  pull-requests: write
 name: PR Checks
 
 on:
EOF
@@ -1,3 +1,6 @@
permissions:
contents: read
pull-requests: write
name: PR Checks

on:
Copilot is powered by AI and may make mistakes. Always verify output.
Loading