Skip to content

Potential fix for code scanning alert no. 3: Workflow does not contain permissions #130

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
summeroff merged 1 commit into from
Oct 7, 2025
Merged

Potential fix for code scanning alert no. 3: Workflow does not contain permissions #130

summeroff merged 1 commit into from
Oct 7, 2025

Conversation

@summeroff
Copy link
Contributor

@summeroff summeroff commented Oct 7, 2025

Potential fix for https://github.com/streamlabs/crash-handler/security/code-scanning/3

To fix this issue, explicitly set the permissions block in the workflow, granting the least possible privilege needed to perform the formatting checks. In this case, since the workflow does not push, comment, or perform any write actions, only minimal read access to the repository contents is needed. Insert permissions: contents: read either at the root (applies to all jobs) or at the job level (specific to this job). In this solution, we will add the block at the job level for clang-format-check on line 13 so it is clear and contained.

What to do:
Edit .github/workflows/clang-format.yml, adding the following under the job definition (jobs: clang-format-check:), before runs-on: ubuntu-22.04:

permissions:
  contents: read

No other changes or imports are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@summeroff @github-advanced-security
Potential fix for code scanning alert no. 3: Workflow does not contai…
90067f4 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@summeroff summeroff requested a review from Copilot October 7, 2025 00:37
Copilot AI reviewed Oct 7, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses a GitHub security code scanning alert by adding explicit permissions to the clang-format workflow. The change follows the principle of least privilege by granting only the minimal read access required for the formatting check job.

  • Added job-level permissions block to restrict access to contents:read only

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@summeroff summeroff marked this pull request as ready for review October 7, 2025 00:38
@summeroff summeroff merged commit 99bc967 into streamlabs Oct 7, 2025
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@summeroff