From 6d1439f38f4c78595b8bd2eb24507d94121800d4 Mon Sep 17 00:00:00 2001 From: Cindy Hill <110551331+cinderellasecure@users.noreply.github.com> Date: Tue, 21 Oct 2025 11:22:48 -0600 Subject: [PATCH 1/2] Potential fix for code scanning alert no. 5: Workflow does not contain permissions As part of the organization's transition to default read-only permissions for the GITHUB_TOKEN, this pull request addresses a missing permission in the workflow that triggered a code scanning alert. This PR explicitly adds the required read permissions to align with the default read only permission and is part of a larger effort for this OKR github/security-services#455 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a65f973a0..6105adaa7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,4 +1,6 @@ name: CI +permissions: + contents: read on: [pull_request] From 6b4ce7729dc27d491eb7eb11759771d816a481c4 Mon Sep 17 00:00:00 2001 From: Jason White Date: Wed, 5 Nov 2025 14:12:05 -0700 Subject: [PATCH 2/2] Potential fix for code scanning alert no. 3: Workflow does not contain permissions adding to existing branch, existing PR for similar alert Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/replica-tests.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/replica-tests.yml b/.github/workflows/replica-tests.yml index 9641727a2..957d7a176 100644 --- a/.github/workflows/replica-tests.yml +++ b/.github/workflows/replica-tests.yml @@ -1,4 +1,6 @@ name: migration tests +permissions: + contents: read on: [pull_request]