chore: update @nylas/web-elements to 2.3.2#37
Conversation
…d Slack notification script
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Notify Slack | ||
| runs-on: ubuntu-latest | ||
| needs: release | ||
| if: needs.release.outputs.published == 'true' | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: ${{ env.NODE_VERSION }} | ||
|
|
||
| - name: Setup pnpm | ||
| uses: pnpm/action-setup@v4 | ||
| with: | ||
| run_install: false | ||
|
|
||
| - name: Install dependencies | ||
| run: pnpm install --frozen-lockfile | ||
|
|
||
| - name: Send Slack notification | ||
| run: pnpm slack:notify '${{ needs.release.outputs.publishedPackages }}' ${{ vars.SLACK_WEBHOOK_URL }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 28 days ago
To fix the problem, add an explicit permissions block to the notify job so it does not inherit potentially broad repository defaults. This block should grant only the minimal necessary access. Since notify just checks out code and runs a pnpm-based Slack notification script, contents: read is sufficient.
Concretely, in .github/workflows/release.yml, under the notify job (around line 99, right after runs-on: ubuntu-latest and before needs: release), insert:
permissions:
contents: readThis keeps existing functionality intact while constraining GITHUB_TOKEN for this job to read-only repository contents. No new imports, methods, or other definitions are required; this is purely a workflow configuration change.
| @@ -98,6 +98,8 @@ | ||
| notify: | ||
| name: Notify Slack | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| needs: release | ||
| if: needs.release.outputs.published == 'true' | ||
|
|
2 participants
No description provided.