Migrate to reusable workflows#36
Conversation
Wiz Scan Summary
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Call Ledger CodeQL analysis | ||
| uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_codeql_checks.yml@v1 | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
In general, the problem is fixed by adding an explicit permissions: block that limits GITHUB_TOKEN to the least privileges necessary. This can be set at the workflow root (applies to all jobs) or at the job level. Since our snippet shows only a single job and we are invoking a reusable workflow, the safest, non-breaking approach is to add a job-level permissions: block under jobs.analyse, so the reusable workflow runs with constrained permissions. For a CodeQL analysis that only needs to read the repository contents, contents: read is a reasonable minimal baseline.
Concretely, in .github/workflows/codeql.yml, under the existing analyse job (line 13 onwards), we will insert a permissions: section at the same indentation level as name, uses, and secrets. We will set:
permissions:
contents: readThis does not alter any existing logic or behavior of the workflow other than constraining token rights. No imports or additional methods are needed, as this is purely a YAML configuration change.
| @@ -12,5 +12,7 @@ | ||
| jobs: | ||
| analyse: | ||
| name: Call Ledger CodeQL analysis | ||
| permissions: | ||
| contents: read | ||
| uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_codeql_checks.yml@v1 | ||
| secrets: inherit |
| name: Unit Tests | ||
| uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_unit_tests.yml@v1 | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix this, explicitly define least-privilege permissions for the workflow so the GITHUB_TOKEN does not inherit potentially broad defaults. Since this workflow only dispatches a reusable unit-test workflow and does not itself perform any repository modifications, a safe minimal set is read-only access to repository contents.
The best way to do this without changing existing functionality is to add a top-level permissions: block (at the same indentation level as on: and jobs:) with contents: read. This will apply to all jobs in the workflow, including the unit_tests job that calls the reusable workflow, unless that reusable workflow overrides permissions internally. No other changes to the job definition are necessary.
Concretely, in .github/workflows/unit-tests.yml, insert:
permissions:
contents: readbetween the on: block and the jobs: block (e.g., after line 10 or 11 in the provided snippet). This requires no imports or additional methods, as it’s purely a YAML configuration change for GitHub Actions.
| @@ -9,6 +9,9 @@ | ||
| - develop | ||
| pull_request: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| unit_tests: | ||
| name: Unit Tests |
|
Closing this PR for now. |
2 participants
This PR migrates workflows to use centralized reusable workflows from
LedgerHQ/ledger-app-workflows.