Bot: Install/update compliance workflows #34
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| jobs: | ||
| check: | ||
| uses: flexaihq/actions/.github/workflows/repo-compliance-workflow.yaml@main |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix this problem, we need to explicitly set a permissions block in .github/workflows/repo-compliance.yaml. The safest minimal permissions are generally contents: read, unless more is needed (for example, if the workflow writes to issues or PRs, issues: write or pull-requests: write should be added). Since the workflow is invoking a reusable compliance workflow, and we aren't given any evidence that write permissions are necessary, we should start with the minimum: contents: read. The block should be placed at the top level (directly below name: and before on:) or inside the specific job definition. Best practice is to apply it at the root unless individual jobs need differing permissions. No new imports or definitions are needed—just the YAML permissions key.
| @@ -1,4 +1,6 @@ | ||
| name: Check Repo Compliance | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| pull_request: | ||
| branches: |
flexai-bot
force-pushed
the
create-pull-request/patch
branch
from
0ad64c6 to
a919145
Compare
This installs a workflow that will check if the repo complies with the FlexAI standards.
This only applies to internal repos. If you see this PR in a forked repo, please contact the Infra team and ask an exemption for this repo.
This PR has been created by: https://github.com/flexaihq/infra/actions/runs/17551670037
Refs: SEC-20