Conversation
…r-docker-publish GCP deployment update
… SPEC-889-github-workflow-for-docker-publish
…r-docker-publish GCP docker publish images to artifact repository
ci: host through Cloudflare
…ment fix(NO-JIRA): update wrangler pattern deployment
…ment fix(NO-JIRA): reverting the change and correcting directory
…ment fix(NO-JIRA): serve listRegistry.json at root
…ment fix(NO-JIRA): fix to handle options request and root access
…pts-update fix(NO-JIRA): handle cors issue with wildcard matching for domain
add: custom usdc for xlayer mainnet
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| outputs: | ||
| env: ${{ steps.set-env.outputs.env }} | ||
| steps: | ||
| - id: set-env | ||
| run: | | ||
| if [ "${{ github.ref_name }}" == "master" ]; then | ||
| export ENV=production | ||
| fi | ||
|
|
||
| if [ "${{ github.ref_name }}" == "dev" ]; then | ||
| export ENV=staging | ||
| fi | ||
|
|
||
| echo "env=$ENV" >> "$GITHUB_OUTPUT" | ||
|
|
||
| build-and-deploy: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, we should set a permissions: block at the workflow root (above jobs:), thereby limiting the permissions of GITHUB_TOKEN for all jobs within the workflow. Since this deploy workflow only checks out code and runs deployment steps using secrets, it likely only needs read access to repository contents, and does not require write access to contents, issues, or pull-requests. The minimal recommended block is:
permissions:
contents: readThis change goes at the root level, after run-name and before on:. No other code changes are required. If future job steps require extra permissions, the block can be amended or overridden at job level.
| @@ -1,4 +1,6 @@ | ||
| run-name: Deploy ${{ github.ref_name }} | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
| needs: [get-env] | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
| - uses: actions/setup-node@v5 | ||
| - run: npm ci | ||
| - run: npm run build | ||
| - name: Deploy bundle | ||
| uses: cloudflare/wrangler-action@v3 | ||
| with: | ||
| environment: ${{ needs.get-env.outputs.env }} | ||
| apiToken: ${{ secrets.CF_WORKER_API_TOKEN }} | ||
| accountId: ${{ secrets.CF_WORKER_ACCOUNT_ID }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
The best way to address this issue is to add an explicit permissions: block to the workflow or relevant job. Since nothing in the provided workflow appears to need write access via GITHUB_TOKEN, we should set the minimal required permissions, which is typically contents: read (necessary for actions/checkout and similar read-only operations). Adding this at the top level (root of the workflow file) ensures all jobs inherit this minimal permission, unless overridden per-job. This requires adding:
permissions:
contents: readimmediately after the run-name: ... line and before the on: block. No imports or definitions are needed for this change, just an insertion in the workflow YAML.
| @@ -1,4 +1,6 @@ | ||
| run-name: Deploy ${{ github.ref_name }} | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
changing format for routes
|
L"scripts": { |
7 participants
No description provided.