Skip to content

Potential fix for code scanning alert no. 4: Workflow does not contain permissions#82

Merged
fcarrero merged 1 commit into
mainfrom
alert-autofix-4
Apr 21, 2026
Merged

Potential fix for code scanning alert no. 4: Workflow does not contain permissions#82
fcarrero merged 1 commit into
mainfrom
alert-autofix-4

Conversation

@fcarrero
Copy link
Copy Markdown
Collaborator

@fcarrero fcarrero commented Apr 21, 2026

Potential fix for https://github.com/conekta/ct-conekta-java/security/code-scanning/4

Add an explicit permissions block to the workflow so GITHUB_TOKEN is least-privileged by default.
Best single fix here (without changing workflow behavior) is to set workflow-level permissions to:

  • contents: read

This supports checkout while preventing unnecessary write scopes.
Change file: .github/workflows/maven-deploy.yml, near the top-level keys (name, on, jobs), by inserting permissions between on and jobs (or any top-level location).

No imports, methods, or dependencies are needed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@fcarrero @github-advanced-security
Potential fix for code scanning alert no. 4: Workflow does not contai…
850e531 
…n permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@fcarrero fcarrero marked this pull request as ready for review April 21, 2026 21:34
@atlantis-conekta
Copy link
Copy Markdown

atlantis-conekta Bot commented Apr 21, 2026 

Error: This repo is not allowlisted for Atlantis.

@fcarrero fcarrero merged commit 94adbd6 into main Apr 21, 2026
5 checks passed
@fcarrero fcarrero deleted the alert-autofix-4 branch April 21, 2026 21:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fcarrero