ci: host through Cloudflare #766
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| outputs: | ||
| env: ${{ steps.set-env.outputs.env }} | ||
| steps: | ||
| - id: set-env | ||
| run: | | ||
| if [ "${{ github.ref_name }}" == "master" ]; then | ||
| export ENV=production | ||
| fi | ||
|
|
||
| if [ "${{ github.ref_name }}" == "dev" ]; then | ||
| export ENV=staging | ||
| fi | ||
|
|
||
| echo "env=$ENV" >> "$GITHUB_OUTPUT" | ||
|
|
||
| build-and-deploy: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To address this security issue, add a permissions block to the workflow to restrict the GITHUB_TOKEN permissions. Since the workflow jobs shown do not perform any write operations to the repository (no pushes, issue/PR management, or artifact storage), the minimal permission required is likely contents: read, allowing it to check out code. This can be set at the workflow root (so it applies to all jobs) by inserting
permissions:
contents: readbetween the top metadata and the on: block. This edit sets the least privilege and follows GitHub's official recommendation. No new methods, imports, or definitions are needed.
| @@ -1,5 +1,8 @@ | ||
| run-name: Deploy ${{ github.ref_name }} | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: |
| needs: [get-env] | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
| - uses: actions/setup-node@v5 | ||
| - run: npm ci | ||
| - run: npm run build | ||
| - name: Deploy bundle | ||
| uses: cloudflare/wrangler-action@v3 | ||
| with: | ||
| environment: ${{ needs.get-env.outputs.env }} | ||
| apiToken: ${{ secrets.CF_WORKER_API_TOKEN }} | ||
| accountId: ${{ secrets.CF_WORKER_ACCOUNT_ID }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To resolve this problem, you should add a permissions block at either the workflow root (to apply to all jobs) or to jobs individually if they need distinct privileges. The most secure approach is to apply the minimum permissions required by the workflow as a whole—typically contents: read is sufficient for most deploy workflows, unless explicit interactions with issues, pull requests, or other resources are needed. In your workflow, there are no steps that require write access to the repository, so the minimal starting point is appropriate. Therefore, you should add the following directly beneath the top-level fields (e.g., after run-name or before/on) in .github/workflows/deploy.yaml:
permissions:
contents: readNo imports or additional dependencies are required.
| @@ -1,4 +1,6 @@ | ||
| run-name: Deploy ${{ github.ref_name }} | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
No description provided.