Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if: github.event_name != 'schedule' || github.repository_owner == 'aws' | ||
| uses: ./.github/workflows/dafny_version.yml | ||
| performance-benchmarks-go: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, the problem is fixed by explicitly declaring a minimal permissions: block in the workflow, either at the root (applies to all jobs lacking their own block) or per job. This prevents the jobs from inheriting potentially over-privileged default permissions for the GITHUB_TOKEN.
For this workflow, the simplest, least-invasive fix is to add a root-level permissions: block that applies to all jobs. Since the top-level workflow only orchestrates reusable workflows and sends a Slack notification (which uses a secret, not the GITHUB_TOKEN), it can safely set contents: read as a minimal baseline. If any called reusable workflows need additional permissions, they should define their own permissions: blocks within those reusable workflow files; we must not assume or edit those here.
Concretely, in .github/workflows/performance-benchmarks.yml, add a permissions: section after the name: line (line 2) and before the on: block (line 4). The block should set contents: read, which is a reasonable minimal starting point for a workflow that only needs to read repository metadata. No imports or additional methods are needed, since this is a YAML configuration change only.
| @@ -1,5 +1,7 @@ | ||
| # This workflow runs every day 09:00 UTC (1AM PST) | ||
| name: Performance Benchmarks | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: |
| needs: getVersion | ||
| uses: ./.github/workflows/performance-benchmarks-go.yml | ||
| with: | ||
| dafny: ${{needs.getVersion.outputs.version}} | ||
| notify: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, the fix is to add an explicit permissions: block that scopes the GITHUB_TOKEN to the minimal access needed. This can be done at the workflow root (applies to all jobs that don’t override it) or per job. Since all jobs here only orchestrate other workflows and don’t manipulate repository contents directly, a safe and conservative default is permissions: contents: read at the workflow level, which still allows read access to the repo while avoiding unnecessary write permissions.
The single best fix with minimal functional impact is to add a top‑level permissions: block right under the name: field (or anywhere at the root) in .github/workflows/performance-benchmarks.yml, like:
permissions:
contents: readThis constrains the GITHUB_TOKEN for all three jobs: getVersion, performance-benchmarks-go, and notify, unless any of the called reusable workflows override permissions themselves (which they are allowed to do, but outside the scope of this snippet). No other code changes, imports, or definitions are needed, as this only affects GitHub Actions configuration.
| @@ -1,6 +1,9 @@ | ||
| # This workflow runs every day 09:00 UTC (1AM PST) | ||
| name: Performance Benchmarks | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| paths: |
| needs: | ||
| [ | ||
| getVersion, | ||
| performance-benchmarks-go | ||
| ] | ||
| if: ${{ failure() }} | ||
| uses: aws/aws-cryptographic-material-providers-library/.github/workflows/slack-notification.yml@main | ||
| with: | ||
| message: "Performance Benchmarks failed on `${{ github.repository }}`. View run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | ||
| secrets: | ||
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_CI }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, the fix is to explicitly define a permissions: block to restrict the GITHUB_TOKEN to the least privileges needed. This can be done at the workflow root (applies to all jobs that don’t override it) or per job. Since all jobs here are just invoking reusable workflows and don’t themselves interact with the repository, the minimal safe starting point is permissions: { contents: read } at the workflow level.
The best fix, without changing existing functionality, is to add a top‑level permissions: block after the on: section. This will apply to getVersion, performance-benchmarks-go, and notify unless those reusable workflows override permissions internally. Given the visible code, the jobs don’t appear to need any write permissions, so contents: read is sufficient and matches GitHub’s recommended minimal example. No other methods, imports, or definitions are needed; this is purely a YAML configuration change within .github/workflows/performance-benchmarks.yml.
Concretely:
- Edit
.github/workflows/performance-benchmarks.yml. - After line 10 (
schedule: ...block), insert:
permissions:
contents: readThis introduces explicit least‑privilege permissions for the GITHUB_TOKEN used by this workflow.
| @@ -8,6 +8,9 @@ | ||
| schedule: | ||
| - cron: "00 09 * * *" | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| getVersion: | ||
| # Don't run the cron builds on forks |
1 participant
Issue #, if available:
Description of changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.