GPlay API 2026.01#92
Conversation
srikanthlogic
commented
Feb 11, 2026
srikanthlogic
commented
- Postman to Bruno
- Technical debt clearance
- MCP Server
- Agent Skills
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 18 | ||
|
|
||
| - name: Check out repository code and Install | ||
| uses: actions/checkout@v4 | ||
| - run: npm install | ||
| - run: npm run generateoas | ||
| - run: npm start & npx wait-on http://localhost:3000 | ||
| - run: npm test |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
In general, this issue is fixed by adding an explicit permissions block that scopes the GITHUB_TOKEN to the least privileges required. This can be done either at the workflow root (applies to all jobs) or within the specific job. Since this workflow has a single job and appears to only need read access to clone the repository, contents: read is sufficient as a minimal starting point.
The best fix without changing existing functionality is to add a permissions section at the workflow root, directly under the name: (or on:) key. This will apply to all jobs (currently only bruno) and ensure the GITHUB_TOKEN is restricted to repository contents read access, which is enough for actions/checkout and typical Node-based CI steps. No additional imports, methods, or definitions are required—this is purely a YAML configuration change in .github/workflows/bruno.yml, around lines 1–4, adding:
permissions:
contents: read| @@ -1,5 +1,8 @@ | ||
| name: Bruno Run | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| push: |
2 participants
