Skip to content

feat: jreleaser check workflow #1398

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

feat: jreleaser check workflow #1398

wants to merge 1 commit into from

Conversation

0marperez
Copy link
Contributor

Issue #

Description of changes

See: awslabs/aws-kotlin-repo-tools#119

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@0marperez 0marperez added the no-changelog Indicates that a changelog entry isn't required for a pull request. Use sparingly. label Aug 27, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 27, 2025
View reviewed changes
.github/workflows/jreleaser.yml
Comment on lines +9 to +12
runs-on: ubuntu-latest
steps:
- name: JReleaser check
uses: awslabs/aws-kotlin-repo-tools/.github/actions/jreleaser@jreleaser-check # TODO: Change branch to main after testing/merge

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 4 days ago

To fix the problem, we should declare an explicit permissions block for the jreleaser-check job in .github/workflows/jreleaser.yml. Since the workflow is for a check action and does not appear (from the provided snippet) to require write access to repository contents, we should set the permissions to the minimal necessary, which is typically contents: read. Adding this block directly underneath the job name (jreleaser-check:) ensures the token cannot be abused for escalation or unintended write actions.

Suggested changeset 1
.github/workflows/jreleaser.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/jreleaser.yml b/.github/workflows/jreleaser.yml
--- a/.github/workflows/jreleaser.yml
+++ b/.github/workflows/jreleaser.yml
@@ -6,6 +6,8 @@
 
 jobs:
   jreleaser-check:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: JReleaser check
EOF
@@ -6,6 +6,8 @@

jobs:
jreleaser-check:
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- name: JReleaser check
Copilot is powered by AI and may make mistakes. Always verify output.
@github-actions GitHub Actions

This comment has been minimized.

# to view
1 similar comment
@github-actions GitHub Actions
Copy link

Affected Artifacts

Changed in size
Artifact Pull Request (bytes) Latest Release (bytes) Delta (bytes) Delta (percentage)
runtime-core-jvm.jar 834,754 835,049 -295 -0.04%
aws-signing-tests-jvm.jar 460,112 461,757 -1,645 -0.36%
aws-signing-common-jvm.jar 70,697 70,970 -273 -0.38%

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
no-changelog Indicates that a changelog entry isn't required for a pull request. Use sparingly.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@0marperez