🌿 Fern Regeneration -- September 1, 2025 #21
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Install Rye | ||
| - name: Checkout repo | ||
| uses: actions/checkout@v4 | ||
| - name: Set up python | ||
| uses: actions/setup-python@v4 | ||
| with: | ||
| python-version: 3.8 | ||
| - name: Bootstrap poetry | ||
| run: | | ||
| curl -sSf https://rye.astral.sh/get | bash | ||
| echo "$HOME/.rye/shims" >> $GITHUB_PATH | ||
| env: | ||
| RYE_VERSION: '0.44.0' | ||
| RYE_INSTALL_OPTION: '--yes' | ||
|
|
||
| - name: Bootstrap | ||
| run: ./scripts/bootstrap | ||
| curl -sSL https://install.python-poetry.org | python - -y --version 1.5.1 | ||
| - name: Install dependencies | ||
| run: poetry install | ||
|
|
||
| - name: Run tests | ||
| run: ./scripts/test | ||
| - name: Test | ||
| run: poetry run pytest -rP . |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix this issue, the least-privileged permissions block should be added. Since both compile and test jobs in this workflow only check out code and run commands locally, they only need contents: read permissions to access repository content. The best way to address this is to add a top-level permissions block to the workflow file (directly under the name or on keys), which will apply to all jobs unless overridden. You'll need to insert:
permissions:
contents: readafter the name: ci (or after on: [push]—in either position it will work, but directly after name: is typical for readability).
| @@ -1,5 +1,7 @@ | ||
| name: ci | ||
|
|
||
| permissions: | ||
| contents: read | ||
| on: [push] | ||
| jobs: | ||
| compile: |
This PR regenerates code to match the latest API Definition.