Conversation
Dev브랜치를 업데이트합니다
[FEAT] 대리점 부품 조회 기능
[FEAT] 장바구니 기능 추가
[FIX] API 경로 수정
[FEAT] 부품 조회를 읽기전용 DB로 전환
[FIX] 장바구니 수정
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| uses: 33-Auto/.github/.github/workflows/reusable-pr-reminder.yml@main | ||
| secrets: | ||
| # 해당 시크릿은 조직의 시크릿에 저장되어 있음 | ||
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | ||
| with: | ||
| SLACK_USER_MAP: ${{ vars.SLACK_USER_MAP }} No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix this issue, add an explicit permissions block with the least required permissions for the workflow. Since the top-level workflow here simply calls a reusable workflow and doesn't appear to need any write access, start by restricting the permissions to contents: read, which will prevent any accidental write operations to the repository. If the reusable workflow requires extra permissions such as issues: write or pull-requests: write, add those specifically; otherwise, keep to just contents: read. Place the permissions: key at the root level (between the name: and the on: block) in .github/workflows/pr-reminder.yml.
| @@ -1,4 +1,6 @@ | ||
| name: PR Reminder | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| schedule: |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Trigger infra repo deploy workflow | ||
| uses: peter-evans/repository-dispatch@v3 | ||
| with: | ||
| token: ${{ secrets.ORGANIZATION_TOKEN }} | ||
| # [중요] 아래 repository 값은 모든 앱이 공유하는 '중앙 인프라 리포지토리' 주소이다. | ||
| repository: 33-Auto/Sampoom-Management-Infra | ||
| event-type: deploy | ||
| # 'Sampoom-Management-Backend-Part'은 스크립트가 동적으로 치환할 자리표시자(placeholder)이다. | ||
| client-payload: '{"service":"Sampoom-Management-Backend-Part","branch":"main"}' No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the problem, we should add a permissions: block to the workflow, specifically to the job trigger-infra in .github/workflows/trigger_infra.yml. This block should specify least-privilege permissions needed for the workflow to perform its tasks. Since this workflow primarily uses a personal access token to dispatch events to another repository and does not modify contents, most likely only contents: read is required for minimal safety (unless future steps are added that need more).
Add the following lines just before the runs-on: line of the job definition:
permissions:
contents: readIf analysis of all steps confirms that no further permissions are required, this is the most secure approach.
| @@ -7,6 +7,8 @@ | ||
|
|
||
| jobs: | ||
| trigger-infra: | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Trigger infra repo deploy workflow |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the ✨ Finishing touches🧪 Generate unit tests (beta)
Comment |
CHOOSLA
requested review from
CHOOSLA,
Lee-Jong-Jin,
Sangyoon98,
WarrenJo0722,
taemin3 and
vivivim
3 participants
📝 Summary
main 브렌치 최신화
🙏 Question & PR point
📬 Reference