mirror of
https://github.com/scylladb/scylladb.git
synced 2026-04-20 00:20:47 +00:00
e59a21752d
Potential fix for https://github.com/scylladb/scylladb/security/code-scanning/147. To fix the problem, add an explicit `permissions:` block to the workflow (either at the top level or inside the `trigger-jenkins` job) that constrains the `GITHUB_TOKEN` to the minimal necessary privileges. This codifies least-privilege in the workflow itself instead of relying on repository or organization defaults. The best minimal, non‑breaking change is to define a root‑level `permissions:` block with read‑only contents access because the job does not perform any write operations to the repository, nor does it interact with issues, pull requests, or other GitHub resources. A conservative, widely accepted baseline is `contents: read`. If later steps require more permissions, they can be added explicitly, but for this snippet, no such need is visible. Concretely, in `.github/workflows/trigger_jenkins.yaml`, insert: ```yaml permissions: contents: read ``` between the `name:` block and the `on:` block (e.g., after line 2). No additional methods, imports, or definitions are needed since this is a pure YAML configuration change and does not alter runtime behavior of the existing shell steps. Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Closes scylladb/scylladb#27815