Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| ruby_version: ['3.3', '3.4'] | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v3 | ||
|
|
||
| - name: Set up ruby | ||
| uses: ruby/setup-ruby@v1 | ||
| with: | ||
| ruby-version: ${{ matrix.ruby_version }} | ||
|
|
||
| - name: Build the lib | ||
| run: make build | ||
|
|
||
| - name: Build the image | ||
| run: docker build . -t local/test -f Dockerfile.test --build-arg BASE_IMAGE=public.ecr.aws/lambda/ruby:${{ matrix.ruby_version }} | ||
|
|
||
| - name: Run tests | ||
| uses: aws/containerized-test-runner-for-aws-lambda@v1 | ||
| with: | ||
| suiteFileArray: '["./test/dockerized/suites/*.json"]' | ||
| dockerImageName: 'local/test' | ||
| taskFolder: './test/dockerized/tasks' |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
This autofix suggestion was applied.
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 days ago
In general, you fix this issue by explicitly declaring a permissions: block either at the top level of the workflow (applies to all jobs) or under the specific job, granting only the scopes needed (typically contents: read for basic CI). Since this workflow only checks out code, sets up Ruby, builds, and runs tests, it appears to need only read access to repository contents, so contents: read is an appropriate minimal permission.
The best fix without changing existing functionality is to add a root-level permissions: block right after the name: (line 1) and before the on: block (line 3). This keeps the job definition intact and ensures any future jobs in this workflow inherit the same minimal permissions unless they override them. Concretely, in .github/workflows/dockerized-test.yml, insert:
permissions:
contents: readon new lines between current lines 1 and 3 (shifting the rest down). No additional methods, imports, or definitions are needed: this is a pure workflow configuration change.
| @@ -1,5 +1,8 @@ | ||
| name: dockerized-test | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: [ main ] |
maxday
committed this autofix suggestion 11 days ago.
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
3 participants
Description of changes:
Add harness testing on push, also adding the capabilithy of running harness test locally with
make test-dockerized RUBY_VERSION=3.4ormake test-dockerized RUBY_VERSION=3.3By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.