feat: rie private to public automation initial merge#172
feat: rie private to public automation initial merge#172
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check source branch | ||
| run: | | ||
| SOURCE_BRANCH="${{ github.head_ref }}" | ||
| if [[ "$SOURCE_BRANCH" != "develop" ]]; then | ||
| echo "Error: Only pull requests from develop branch are allowed into main" | ||
| echo "Current source branch ($SOURCE_BRANCH)." | ||
| exit 1 | ||
| fi | ||
| echo "Source branch is develop - merge allowed" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
In general, fix this by adding a permissions block to the workflow (either at the root or per‑job) and granting the minimal necessary permissions. When a workflow doesn’t need GITHUB_TOKEN at all, you can set permissions: {} or explicitly set all scopes to none. If it only needs to read repository contents, contents: read is sufficient.
For this specific workflow in .github/workflows/validate-branch-into-main.yaml, the job only checks the PR’s source branch and prints messages; it doesn’t use GITHUB_TOKEN to interact with the API or write anything. The safest, least‑privilege change is to add a root‑level permissions block setting contents: read, which is a standard minimal configuration and keeps the workflow compatible with common actions that might be added later which only need read access. Concretely, insert a permissions: section between the name: and on: definitions (around line 2–3). No imports or additional definitions are needed because this is a YAML configuration change only.
| @@ -1,5 +1,8 @@ | ||
| name: Validate PR Branch into Main | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: |
| name: Validate PR Branch into Main | ||
|
|
||
| on: |
There was a problem hiding this comment.
Do we want to add this file now? I see another PR open to add this, and some discussion there already: https://github.com/aws/aws-lambda-runtime-interface-emulator/pull/168/changes
2 participants
Issue #, if available:
Description of changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.