Conversation
Call the centralized reusable workflow from reqstool/.github to validate Antora docs build cleanly on PRs and pushes to main. Signed-off-by: jimisola <jimisola@jimisola.com>
![github-advanced-security[bot]](https://waps.l3s.uni-hannover.de/live/im_/https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| jobs: | ||
| build: | ||
| uses: reqstool/.github/.github/workflows/build-docs.yml@main |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 8 hours ago
In general, the problem is fixed by explicitly declaring a permissions block that restricts the GITHUB_TOKEN to the least privileges needed. Since this workflow only triggers a reusable workflow and there is no indication it needs write access, a safe minimal default is contents: read at the workflow root. Root‑level permissions apply to all jobs that do not override them, including the build job here.
The single best way to fix this without changing existing functionality is to add a root‑level permissions section immediately after the name: line (line 1). For example:
name: Build Docs
permissions:
contents: readThis keeps the existing triggers and the build job unchanged and only narrows the default GITHUB_TOKEN privileges for this workflow. No additional imports or methods are needed, since this is a GitHub Actions YAML configuration change only.
Concretely:
- Edit
.github/workflows/build-docs.yml. - Insert a
permissionsblock after line 1 (name: Build Docs), before theon:section. - Set
contents: readas a minimal, least‑privilege default suitable for a documentation build workflow that should not need to push changes or modify repo state.
| @@ -1,4 +1,6 @@ | ||
| name: Build Docs | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| workflow_dispatch: | ||
| pull_request: |
1 participant
Summary
docs/**files changereqstool/.githubTest plan