github/tor-guard-relay
1
1
Fork 0
mirror of https://github.com/r3bo0tbx1/tor-guard-relay.git synced 2026-04-06 00:32:04 +02:00
Code Issues Packages Projects Releases Wiki Activity

Potential fix for code scanning alert no. 8: Workflow does not contain permissions #8

New Issue
Closed
opened 2026-04-05 16:15:56 +02:00 by MrUnknownDE · 0 comments
MrUnknownDE commented 2026-04-05 16:15:56 +02:00
Owner
Copy Link

Originally created by @r3bo0tbx1 on 2/5/2026

Potential fix for https://github.com/r3bo0tbx1/tor-guard-relay/security/code-scanning/8

In general, the fix is to add a permissions block that restricts the GITHUB_TOKEN to the least privileges required. For this job, the only capability needed is the ability to request reviewers on pull requests, which requires pull-requests: write. It does not need broad contents: write or other elevated scopes, so we should explicitly set a minimal set of permissions.

The best fix, without changing existing functionality, is to add a job-level permissions block under jobs.assign, specifying pull-requests: write. This keeps the scope local to this job, avoids affecting other workflows, and clearly documents the intent. Concretely, in .github/workflows/assign.yml, under jobs: assign:, add:

    permissions:
      pull-requests: write

at the same indentation level as if: and runs-on:. No new imports or external actions are required; GitHub Actions’ built-in permission system handles this.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

*Originally created by @r3bo0tbx1 on 2/5/2026* Potential fix for [https://github.com/r3bo0tbx1/tor-guard-relay/security/code-scanning/8](https://github.com/r3bo0tbx1/tor-guard-relay/security/code-scanning/8) In general, the fix is to add a `permissions` block that restricts the `GITHUB_TOKEN` to the least privileges required. For this job, the only capability needed is the ability to request reviewers on pull requests, which requires `pull-requests: write`. It does not need broad `contents: write` or other elevated scopes, so we should explicitly set a minimal set of permissions. The best fix, without changing existing functionality, is to add a job-level `permissions` block under `jobs.assign`, specifying `pull-requests: write`. This keeps the scope local to this job, avoids affecting other workflows, and clearly documents the intent. Concretely, in `.github/workflows/assign.yml`, under `jobs: assign:`, add: ```yaml permissions: pull-requests: write ``` at the same indentation level as `if:` and `runs-on:`. No new imports or external actions are required; GitHub Actions’ built-in permission system handles this. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
alpine
alpine
alpine
alpine
alpine
alpine
alpine
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
docker
docker
docker
docker
docker
docker
docker
docker
docker
docker
docker
docker
docker
docker
enhancement
github-actions
github-actions
good first issue
security
security
security
security
security
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
MrUnknownDE
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github/tor-guard-relay#8
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?