🌿 Fern Regeneration -- September 1, 2025 #20
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Install Rye | ||
| - name: Checkout repo | ||
| uses: actions/checkout@v4 | ||
| - name: Set up python | ||
| uses: actions/setup-python@v4 | ||
| with: | ||
| python-version: 3.8 | ||
| - name: Bootstrap poetry | ||
| run: | | ||
| curl -sSf https://rye.astral.sh/get | bash | ||
| echo "$HOME/.rye/shims" >> $GITHUB_PATH | ||
| env: | ||
| RYE_VERSION: '0.44.0' | ||
| RYE_INSTALL_OPTION: '--yes' | ||
|
|
||
| - name: Bootstrap | ||
| run: ./scripts/bootstrap | ||
| curl -sSL https://install.python-poetry.org | python - -y --version 1.5.1 | ||
| - name: Install dependencies | ||
| run: poetry install | ||
|
|
||
| - name: Run tests | ||
| run: ./scripts/test | ||
| - name: Test | ||
| run: poetry run pytest -rP . |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix this issue, you should add a permissions block to the workflow. You can do this at the root level (affecting all jobs) or at the job level (per-job granularity). Since both jobs ("compile" and "test") appear not to require any write access (they only check out code and run install/test/compile steps), the GITHUB_TOKEN can likely be restricted to only contents: read. This limits read access to repository contents and nothing else, adhering to least privilege principles. To implement the fix, add a permissions block directly below the workflow’s name and before the on key.
| @@ -1,4 +1,6 @@ | ||
| name: ci | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: [push] | ||
| jobs: |
This PR regenerates code to match the latest API Definition.