Skip to content

Update workflow that handles contributor comments to the latest version#5190

Merged
rtibbles merged 1 commit intounstablefrom
update-contributor-comment-workflow
Jul 21, 2025
Merged

Update workflow that handles contributor comments to the latest version#5190
rtibbles merged 1 commit intounstablefrom
update-contributor-comment-workflow

Conversation

@MisRob
Copy link
Copy Markdown
Member

@MisRob MisRob commented Jul 21, 2025

Summary

Companion to learningequality/.github#29 which was tested in test-actions successfully. Also renames the file to match exactly the new example calling script in .github repository.

@MisRob
Copy link
Copy Markdown
Member Author

MisRob commented Jul 21, 2025

@rtibbles All secrets are already available in this repo, so no set up needed.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 21, 2025
View reviewed changes
.github/workflows/call-contributor-issue-comment.yml
Comment on lines +9 to +14
uses: learningequality/.github/.github/workflows/contributor-issue-comment.yml@main
secrets:
LE_BOT_APP_ID: ${{ secrets.LE_BOT_APP_ID }}
LE_BOT_PRIVATE_KEY: ${{ secrets.LE_BOT_PRIVATE_KEY }}
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_COMMUNITY_NOTIFICATIONS_WEBHOOK_URL: ${{ secrets.SLACK_COMMUNITY_NOTIFICATIONS_WEBHOOK_URL }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 8 months ago

To fix this problem, you should add a permissions: key to the workflow file. This can be done at the top level (applies to all jobs), or specifically for the call-workflow job. Since this workflow only calls another workflow and does not require any write permissions itself, the safest minimal permissions are permissions: {} (no permissions), or at most permissions: contents: read if the called workflow requires it. If you know specifically what permissions are needed by the reusable workflow, you can set them accordingly. For a minimal, least-privilege fix, insert the following at the top level, after the name: declaration and before on::

permissions:
  contents: read

If you know more specific permission requirements, you can adjust, but contents: read is generally sufficient for most workflows that do not modify code or use write APIs.

Suggested changeset 1
.github/workflows/call-contributor-issue-comment.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/call-contributor-issue-comment.yml b/.github/workflows/call-contributor-issue-comment.yml
--- a/.github/workflows/call-contributor-issue-comment.yml
+++ b/.github/workflows/call-contributor-issue-comment.yml
@@ -1,3 +1,5 @@
+permissions:
+  contents: read
 name: Handle contributor comment on GitHub issue
 
 on:
EOF
@@ -1,3 +1,5 @@
permissions:
contents: read
name: Handle contributor comment on GitHub issue

on:
Copilot is powered by AI and may make mistakes. Always verify output.
@MisRob MisRob requested a review from rtibbles July 21, 2025 14:51
@rtibbles rtibbles merged commit 6c11b75 into unstable Jul 21, 2025
18 checks passed
@rtibbles rtibbles deleted the update-contributor-comment-workflow branch July 21, 2025 14:59
@bjester bjester mentioned this pull request Aug 14, 2025
Merged
@bjester bjester mentioned this pull request Aug 22, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rtibbles rtibbles rtibbles approved these changes

Assignees

No one assigned

Labels

TODO: needs review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MisRob @rtibbles @github-advanced-security