Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| ruby_version: ['3.3', '3.4'] | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v3 | ||
|
|
||
| - name: Set up ruby | ||
| uses: ruby/setup-ruby@v1 | ||
| with: | ||
| ruby-version: ${{ matrix.ruby_version }} | ||
|
|
||
| - name: Build the lib | ||
| run: make build | ||
|
|
||
| - name: Build the image | ||
| run: docker build . -t local/test -f Dockerfile.test --build-arg BASE_IMAGE=public.ecr.aws/lambda/ruby:${{ matrix.ruby_version }} | ||
|
|
||
| - name: Run tests | ||
| uses: aws/containerized-test-runner-for-aws-lambda@v1 | ||
| with: | ||
| suiteFileArray: '["./test/dockerized/suites/*.json"]' | ||
| dockerImageName: 'local/test' | ||
| taskFolder: './test/dockerized/tasks' |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
This autofix suggestion was applied.
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 days ago
In general, you fix this issue by explicitly declaring a permissions: block either at the top level of the workflow (applies to all jobs) or under the specific job, granting only the scopes needed (typically contents: read for basic CI). Since this workflow only checks out code, sets up Ruby, builds, and runs tests, it appears to need only read access to repository contents, so contents: read is an appropriate minimal permission.
The best fix without changing existing functionality is to add a root-level permissions: block right after the name: (line 1) and before the on: block (line 3). This keeps the job definition intact and ensures any future jobs in this workflow inherit the same minimal permissions unless they override them. Concretely, in .github/workflows/dockerized-test.yml, insert:
permissions:
contents: readon new lines between current lines 1 and 3 (shifting the rest down). No additional methods, imports, or definitions are needed: this is a pure workflow configuration change.
| @@ -1,5 +1,8 @@ | ||
| name: dockerized-test | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: [ main ] |
maxday
committed this autofix suggestion 5 days ago.
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
3 participants
Description of changes:
Add harness testing on push, also adding the capabilithy of running harness test locally with
make test-dockerized RUBY_VERSION=3.4ormake test-dockerized RUBY_VERSION=3.3By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.