Conversation
[FEAT] 부품 기본 기능 구현
[FEAT] CI 설정 수정 및 엔티티 정리
Dev브랜치를 업데이트합니다
[FEAT] 단일 부품 조회 API 추가
chore(CI): 🔧 CI 관련 워크플로우 등록, gitignore 업데이트
[FIX]API 경로 수정
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| uses: 33-Auto/.github/.github/workflows/reusable-assign-issue-creator.yml@main | ||
| # 이 워크플로우는 secrets를 전달할 필요가 없지만, 필요 시 아래와 같이 전달합니다. | ||
| # secrets: inherit No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
The best way to fix this issue is to explicitly set a permissions block at the workflow or job level in .github/workflows/assign-issue-creator.yml, restricting the GitHub token's access to only what is necessary. Since this workflow does not run its own steps (only calls a reusable workflow), the minimal reasonable permissions for it would be contents: read, unless further write permissions are required by the reusable workflow and not inherited. To be safe and general, apply the permissions block at the top level (immediately below name and before on), as this will apply to all jobs unless overridden. No additional imports, methods, or definitions are required—just an edit to the YAML file.
| @@ -1,6 +1,8 @@ | ||
| # 각 레포지토리의 .github/workflows/assign-issue-creator.yml | ||
|
|
||
| name: Assign issue creator | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| issues: |
| if: > | ||
| github.event.pull_request.merged == true && | ||
| github.event.pull_request.base.ref == 'dev' | ||
| uses: 33-Auto/.github/.github/workflows/reusable-close-linked-issues.yml@main | ||
| # with를 통해 재사용 워크플로우의 inputs에 값을 전달합니다. | ||
| with: | ||
| pr-body: ${{ github.event.pull_request.body }} | ||
| issue-number: ${{ github.event.pull_request.number }} | ||
| secrets: inherit # 재사용 워크플로우가 GITHUB_TOKEN을 사용할 수 있도록 전달 No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
The best fix is to add a permissions block at the root level of your workflow, immediately below the name key and above the on key, to explicitly set the minimal required privileges. Since the job involves closing issues when a PR is merged, it will require specific issues: write permission and contents: read to access the code if needed, but should not require broader write permissions. If the workflow manipulates pull requests as part of its tasks, also consider pull-requests: write. In general, set contents: read as the baseline, then add issues: write and/or pull-requests: write if needed for closing issues and updating PRs. Edit .github/workflows/close-issues-on-dev-merge.yml to insert the permissions block after the workflow name.
| @@ -1,6 +1,9 @@ | ||
| # 각 레포지토리의 .github/workflows/close-issues-on-dev-merge.yml | ||
|
|
||
| name: Auto Close Issues on dev merge | ||
| permissions: | ||
| contents: read | ||
| issues: write | ||
|
|
||
| on: | ||
| pull_request: |
| uses: 33-Auto/.github/.github/workflows/reusable-pr-reminder.yml@main | ||
| secrets: | ||
| # 해당 시크릿은 조직의 시크릿에 저장되어 있음 | ||
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | ||
| with: | ||
| SLACK_USER_MAP: ${{ vars.SLACK_USER_MAP }} No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the problem, add a permissions: block at the top level of the workflow file, defining the minimal required permissions for this workflow/job. Since the workflow simply calls a reusable workflow and does not seem to require repository write access or permission to interact with PRs/issues directly (all logic and required permissions for those actions should live in the reusable workflow itself), the minimal safe permissions are contents: read.
Add the permissions: key immediately below the workflow name: line and before the on: section. This block will apply to all jobs in this workflow unless a more specific permissions block is defined at the job level. No new modules or code structures are necessary, only this addition to the YAML workflow file.
| @@ -1,4 +1,6 @@ | ||
| name: PR Reminder | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| schedule: |
| uses: 33-Auto/.github/.github/workflows/reusable-pr-assign-and-review.yml@main | ||
| with: | ||
| team-slug-for-review: "review_avengers" # 여기에 리뷰를 요청할 팀의 slug를 입력합니다. | ||
| pr-author: ${{ github.event.pull_request.user.login }} | ||
| pr-number: ${{ github.event.pull_request.number }} | ||
| secrets: | ||
| ORGANIZATION_TOKEN: ${{ secrets.ORGANIZATION_TOKEN }} # 재사용 워크플로우가 ORGANIZATION_TOKEN을 사용할 수 있도록 전달 |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the problem, an explicit permissions block should be added to the workflow YAML to limit the GITHUB_TOKEN's permissions. The block can be placed at the workflow root (affecting all jobs), or specifically for the single job if only one exists. The safest approach is adding it to the workflow root, as this workflow only has one job. For requesting PR reviews, contents: read and pull-requests: write are usually sufficient; these allow the workflow to read repo contents and request reviews or assign PRs, but not make broad changes. The change should be made at the top of the file, after the name field and before the on block.
No new imports or definitions are required. Only the addition of a small YAML block is necessary.
| @@ -2,6 +2,10 @@ | ||
|
|
||
| name: PR Assignee & Team Review Request | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
|
|
||
| on: | ||
| pull_request: | ||
| types: [opened, reopened, ready_for_review] |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Trigger infra repo deploy workflow | ||
| uses: peter-evans/repository-dispatch@v3 | ||
| with: | ||
| token: ${{ secrets.ORGANIZATION_TOKEN }} | ||
| # [중요] 아래 repository 값은 모든 앱이 공유하는 '중앙 인프라 리포지토리' 주소이다. | ||
| repository: 33-Auto/Sampoom-Management-Infra | ||
| event-type: deploy | ||
| # 'Sampoom-Management-Backend-Part'은 스크립트가 동적으로 치환할 자리표시자(placeholder)이다. | ||
| client-payload: '{"service":"Sampoom-Management-Backend-Part","branch":"main"}' No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To address this issue, add an explicit permissions: block to restrict the privileges granted to the workflow. Since the workflow only dispatches another workflow using a separately supplied token and does not need to modify any repository data or use the GITHUB_TOKEN for write operations, the permissions can be set to minimal read access. Add the following line immediately after the workflow name: field but before on:; this sets the default permission for all jobs. The optimal value is permissions: {} (no permissions at all), but if any minimal GitHub information is required you can use contents: read. For maximal safety, start with permissions: {}.
Steps:
- Insert
permissions: {}at line 2, immediately aftername: Trigger Infra CD.
| @@ -1,4 +1,5 @@ | ||
| name: Trigger Infra CD | ||
| permissions: {} | ||
|
|
||
| on: | ||
| push: |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
33Auto-Bot
requested review from
CHOOSLA,
Lee-Jong-Jin,
Sangyoon98,
taemin3 and
vivivim
6 participants
📝 Summary
🙏 Question & PR point
📬 Reference