Conversation
KSM-13: Technology infrastructure standardization across cogpy org. - Added standardized .gitattributes (LFS only for >50MB ML models) - Added GIT_LFS_SKIP_SMUDGE=1 to all workflows - Added CI workflow (node template from cogpilot.jl patterns) - Added release workflow for tag-based releases
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Build & Test | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 1 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '22' | ||
|
|
||
| - name: Setup pnpm | ||
| uses: pnpm/action-setup@v4 | ||
| with: | ||
| version: 9 | ||
|
|
||
| - name: Install dependencies | ||
| run: pnpm install --frozen-lockfile 2>/dev/null || pnpm install | ||
|
|
||
| - name: Type check | ||
| run: pnpm tsc --noEmit 2>/dev/null || echo "TypeScript check skipped" | ||
|
|
||
| - name: Lint | ||
| run: pnpm lint 2>/dev/null || echo "Lint skipped" | ||
|
|
||
| - name: Build | ||
| run: pnpm build 2>/dev/null || echo "Build skipped" | ||
|
|
||
| - name: Test | ||
| run: pnpm test 2>/dev/null || pnpm vitest run 2>/dev/null || echo "Tests skipped" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 days ago
To fix the issue, explicitly define permissions so the GITHUB_TOKEN is restricted to the minimal access required. In this workflow, the job only checks out code and runs local Node/pnpm commands; it does not push commits, create releases, or modify issues/PRs. Therefore, contents: read is sufficient.
The best fix without changing functionality is to add a permissions block at the workflow root level so it applies to all jobs (there is currently only build). Place it after the on: or concurrency: section and before jobs:. Set contents: read to match GitHub’s recommended minimal starting point. No additional imports or methods are needed; this is purely a YAML configuration change in .github/workflows/ci.yml.
Concretely: edit .github/workflows/ci.yml to insert:
permissions:
contents: readbetween the concurrency block and the jobs: key (or immediately after on:; both are valid, but placing it before jobs: keeps the structure clear).
| @@ -21,6 +21,9 @@ | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| build: | ||
| name: Build & Test |
2 participants
KSM-13: Technology Infrastructure Standardization
Part of the cogpy org-wide infrastructure improvement from KSM Evolution Cycle 13.
Changes
Ref: ksm-evolve-technology-infrastructure