Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Deployment Guard | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check confirmation | ||
| if: github.event.inputs.confirm != 'deploy' | ||
| run: | | ||
| echo "Deployment not confirmed. Type 'deploy' to proceed." | ||
| exit 1 | ||
|
|
||
| test: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 days ago
In general, the fix is to explicitly declare a permissions block that grants the minimum necessary scopes. This can be done at the workflow root (applies to all jobs without their own permissions) and/or at the job level. Here, build-and-push already has a job-level permissions block. The guard, test, and deploy jobs don’t use the GITHUB_TOKEN, so they can run with permissions: contents: read or even permissions: {} (no permissions). Adding a root-level permissions block of contents: read will be a clear, minimal default; we then only need to override it where broader permissions are required (already done for build-and-push).
The single best minimal-change fix is:
- Add a workflow-level
permissionsblock just after theon:section, settingcontents: read. This documents and enforces a safe default forguard,test, anddeploy. - Leave the existing
permissionsblock inbuild-and-pushunchanged, since it already correctly requestsid-token: writeandcontents: read.
This addresses CodeQL’s complaint (the job now inherits explicit, minimized permissions) without altering any functional behavior of the jobs.
| @@ -10,6 +10,9 @@ | ||
| description: "Type 'deploy' to confirm AWS deployment" | ||
| required: true | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: deploy-aws | ||
| cancel-in-progress: false |
| name: Backend Tests | ||
| runs-on: ubuntu-latest | ||
| needs: [guard] | ||
| defaults: | ||
| run: | ||
| working-directory: backend | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 22 | ||
| cache: npm | ||
| cache-dependency-path: backend/package-lock.json | ||
|
|
||
| - run: npm ci | ||
|
|
||
| - name: Generate Prisma clients | ||
| run: | | ||
| npx prisma generate --schema=./prisma/schema-central.prisma | ||
| npx prisma generate --schema=./prisma/schema-tenant.prisma | ||
|
|
||
| - run: npx jest test/unit --no-coverage --forceExit | ||
|
|
||
| build-and-push: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 days ago
To fix this, we should explicitly restrict GITHUB_TOKEN permissions instead of relying on repository defaults. The minimal necessary permission for the test job is contents: read, since it only checks out code and runs tests. We can add a permissions block to the test job specifying contents: read. The build-and-push job already has an explicit permissions section, and the guard job doesn’t need more than read access either, but CodeQL flagged specifically the test job, so we will minimally fix that.
Concretely, in .github/workflows/deploy-aws.yml, within the test job definition (lines 32–56), insert:
permissions:
contents: readbetween the needs: [guard] and defaults: keys. No imports or external dependencies are required; this is purely a YAML configuration change inside the existing workflow.
| @@ -33,6 +33,8 @@ | ||
| name: Backend Tests | ||
| runs-on: ubuntu-latest | ||
| needs: [guard] | ||
| permissions: | ||
| contents: read | ||
| defaults: | ||
| run: | ||
| working-directory: backend |
| name: Deploy to ECS | ||
| runs-on: ubuntu-latest | ||
| needs: [build-and-push] | ||
| environment: production | ||
| steps: | ||
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@v4 | ||
| with: | ||
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| aws-region: ${{ env.AWS_REGION }} | ||
|
|
||
| - name: Force new deployment for all services | ||
| run: | | ||
| for service in api worker dashboard landing docs; do | ||
| echo "Deploying $service..." | ||
| aws ecs update-service \ | ||
| --cluster ${{ env.ECS_CLUSTER }} \ | ||
| --service $service \ | ||
| --force-new-deployment \ | ||
| --no-cli-pager | ||
| done | ||
|
|
||
| - name: Wait for API service stability | ||
| run: | | ||
| echo "Waiting for API service to stabilize..." | ||
| aws ecs wait services-stable \ | ||
| --cluster ${{ env.ECS_CLUSTER }} \ | ||
| --services api | ||
| echo "API service is stable" | ||
|
|
||
| - name: Wait for Worker service stability | ||
| run: | | ||
| echo "Waiting for Worker service to stabilize..." | ||
| aws ecs wait services-stable \ | ||
| --cluster ${{ env.ECS_CLUSTER }} \ | ||
| --services worker | ||
| echo "Worker service is stable" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 days ago
In general, the fix is to explicitly set a restrictive permissions block either at the workflow root (affecting all jobs) or on each job individually. Since build-and-push already has its own permissions block, the smallest and safest change is to add an explicit permissions block to the deploy job only. This documents the intended permissions and ensures the GITHUB_TOKEN is limited even if repository defaults are broad or change in the future.
For this specific workflow (.github/workflows/deploy-aws.yml), the deploy job does not need to modify repository contents or metadata; it only interacts with AWS using long-lived credentials from secrets. Therefore, we can safely set permissions: contents: read as a minimal, least-privilege setting, which is equivalent to the typical “read-only” default for repository contents. Concretely, you should insert:
permissions:
contents: readjust under runs-on: ubuntu-latest (line 123) in the deploy job, before needs: or environment:. No additional imports, actions, or method definitions are required; this is a declarative change in the workflow YAML.
| @@ -121,6 +121,8 @@ | ||
| deploy: | ||
| name: Deploy to ECS | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| needs: [build-and-push] | ||
| environment: production | ||
| steps: |
1 participant
No description provided.