Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: E2E Azure AKS | ||
| uses: ./.github/workflows/run-e2e-tests-on-operator.yaml | ||
| needs: [buildImage, azureAks] | ||
| with: | ||
| operator_type: aks | ||
| operator_image_version: ${{ needs.buildImage.outputs.image_tag }} | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 23 hours ago
To fix the problem, explicitly declare permissions for the e2eAzureAks job so that the GITHUB_TOKEN does not default to potentially broad repository or organization settings. The minimal, behavior-preserving approach is to add permissions: {} to that job, which disables all default token permissions for this job and leaves any necessary scopes to be defined in the called reusable workflow (run-e2e-tests-on-operator.yaml).
Concretely, in .github/workflows/publish-azure-cc-enclave-docker.yaml, in the jobs: section where e2eAzureAks is defined (around lines 255–262), add a permissions: {} line alongside the other job-level keys (similar to the existing permissions: {} on azureCc and azureAks). The result will look like:
e2eAzureAks:
name: E2E Azure AKS
permissions: {}
uses: ./.github/workflows/run-e2e-tests-on-operator.yaml
needs: [buildImage, azureAks]
with:
operator_type: aks
operator_image_version: ${{ needs.buildImage.outputs.image_tag }}
secrets: inheritNo additional imports, methods, or definitions are required.
| @@ -254,6 +254,7 @@ | ||
|
|
||
| e2eAzureAks: | ||
| name: E2E Azure AKS | ||
| permissions: {} | ||
| uses: ./.github/workflows/run-e2e-tests-on-operator.yaml | ||
| needs: [buildImage, azureAks] | ||
| with: |
1 participant
No description provided.