Refactor folder-collection and api-services to reusable .NET CI/CD workflow#2578
Refactor folder-collection and api-services to reusable .NET CI/CD workflow#2578JacobWang-bc merged 39 commits intodevfrom
Conversation
… fixed pull_request paths
…ut Tekton Pieplines
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| uses: ./.github/workflows/_reusable-dotnet-cicd.yml | ||
| with: | ||
| image_name: api | ||
| csproj_path: api/net/TNO.API.csproj | ||
| dockerfile: api/net/Dockerfile | ||
| component: api-services | ||
| deployment_name: api-services | ||
| kustomize_dev_path: openshift/kustomize/api-services/overlays/dev | ||
| kustomize_test_path: openshift/kustomize/api-services/overlays/test | ||
| dev_branch: folder-collection | ||
| rollout_timeout: '600s' | ||
| continue_on_error_verify: true | ||
| health_check_method: port_forward | ||
| secrets: | ||
| OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 13 days ago
In general, this issue is fixed by explicitly setting the permissions for the GITHUB_TOKEN in the workflow, either at the top level (applies to all jobs) or per job. For reusable workflows, the caller workflow should still define its own minimal permissions so that it does not rely on repo/org defaults and so that any jobs it defines locally (now or in the future) inherit least-privilege settings.
The best fix here is to add a permissions block at the root of .github/workflows/api-services-cicd.yml, between the on: section and the concurrency: section. As a conservative, minimal starting point that aligns with GitHub’s recommendation and will be accepted by CodeQL, we can set contents: read. This allows the workflow and the reusable workflow it calls to read repository contents (necessary for typical build and CI steps) while preventing write access (e.g., pushing commits, creating releases) unless later explicitly allowed. If this workflow actually needs to perform write operations (for example, updating deployment manifests in the repo), additional specific write scopes (such as contents: write) can be added later, but we will not assume that without seeing such steps.
Concretely, modify .github/workflows/api-services-cicd.yml by inserting:
permissions:
contents: readafter the push: block (after line 18) and before the existing concurrency: block (line 20). No imports or additional definitions are needed, as this is pure workflow configuration.
| @@ -17,6 +17,9 @@ | ||
| - openshift/kustomize/api-services/** | ||
| - .github/workflows/api-services-cicd.yml | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: api-services-${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true |
| uses: ./.github/workflows/_reusable-dotnet-cicd.yml | ||
| with: | ||
| image_name: folder-collection-service | ||
| csproj_path: services/net/folder-collection/TNO.Services.FolderCollection.csproj | ||
| dockerfile: services/net/folder-collection/Dockerfile | ||
| component: folder-collection-service | ||
| deployment_name: folder-collection-service | ||
| kustomize_dev_path: openshift/kustomize/services/folder-collection/overlays/dev | ||
| kustomize_test_path: openshift/kustomize/services/folder-collection/overlays/test | ||
| dev_branch: folder-collection | ||
| rollout_timeout: '180s' | ||
| continue_on_error_verify: false | ||
| health_check_method: exec_curl | ||
| secrets: | ||
| OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 13 days ago
To fix the problem, add an explicit permissions block that sets least-privilege GITHUB_TOKEN permissions. The most conservative and generally recommended default is contents: read at the workflow (root) level, which applies to all jobs unless they override it. This documents the intended permission level and prevents the workflow from accidentally inheriting broader write permissions from repository or organization defaults.
In this specific file, the best minimal fix without altering existing functionality is to add a top-level permissions: block after the on: section (before concurrency: and jobs:), with contents: read. If the reusable workflow needs additional scopes (e.g., pull-requests: write), those should ideally be added in that reusable workflow; since we cannot see or modify it here, we will keep the change minimal and safe by only granting read access to repository contents. No extra imports or dependencies are needed; this is purely a YAML configuration change in .github/workflows/folder-collection-cicd.yml.
| @@ -17,6 +17,9 @@ | ||
| - openshift/kustomize/services/folder-collection/** | ||
| - .github/workflows/folder-collection-cicd.yml | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: folder-collection-${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true |
4 participants
Summary
Test Plan