Problem
CodeQL code scanning found 4 open alerts — all the same rule: \�ctions/missing-workflow-permissions\ (CWE-275). Workflows without explicit \permissions\ inherit the repository/org default, which may be overly broad.
Alerts: https://github.com/IBuySpy-Dev/.github/security/code-scanning
| Alert |
File |
Job |
Line |
| #1 |
\�alidate-basecoat.yml\ |
\�alidate-commit-messages\ |
L13-34 |
| #3 |
\�alidate-basecoat.yml\ |
\�alidate-unix\ |
L35-46 |
| #4 |
\�alidate-basecoat.yml\ |
\�alidate-windows\ |
L47-58 |
| #2 |
\�alidate-repo-template-sample.yml\ |
\�alidate-sample-template\ |
L12-63 |
Fix
Add a top-level \permissions\ block to each workflow with minimum required scopes:
\�alidate-basecoat.yml:
\\yaml
permissions:
contents: read
\\
\�alidate-repo-template-sample.yml:
\\yaml
permissions:
contents: read
\\
Both workflows only read code — no writes, no issues, no PRs, no packages. \contents: read\ is sufficient.
Also check \package-basecoat.yml\ and \prd-spec-gate.yml\ for the same issue (may need \packages: write\ or \pull-requests: write\ depending on their function).
References
Problem
CodeQL code scanning found 4 open alerts — all the same rule: \�ctions/missing-workflow-permissions\ (CWE-275). Workflows without explicit \permissions\ inherit the repository/org default, which may be overly broad.
Alerts: https://github.com/IBuySpy-Dev/.github/security/code-scanning
Fix
Add a top-level \permissions\ block to each workflow with minimum required scopes:
\�alidate-basecoat.yml:
\\yaml
permissions:
contents: read
\\
\�alidate-repo-template-sample.yml:
\\yaml
permissions:
contents: read
\\
Both workflows only read code — no writes, no issues, no PRs, no packages. \contents: read\ is sufficient.
Also check \package-basecoat.yml\ and \prd-spec-gate.yml\ for the same issue (may need \packages: write\ or \pull-requests: write\ depending on their function).
References