Merge develop into main (B2CA-2250)#16
Conversation
Stax port
Updated to use the latest plugin SDK
Fbe/flex support
Add support for APEX_P
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Call Ledger guidelines_enforcer | ||
| uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_guidelines_enforcer.yml@v1 |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 months ago
To fix the problem, you must specify the permissions key in the workflow YAML file. The best way to do this is to add the permissions block at the root level, just after the name: field and before on:; this restricts the permissions of the GitHub token for the entire workflow, including all jobs (unless individual jobs override them). Since the workflow appears to only call a reusable workflow (doesn't contain steps or perform additional actions itself), and unless writing to pull requests or issues is required, you should set contents: read as the minimum. If the reusable workflow requires additional permissions, these should be added; otherwise, contents: read is safest and follows the principle of least privilege. No imports or new dependencies are needed.
| @@ -1,4 +1,6 @@ | ||
| name: Ensure compliance with Ledger guidelines | ||
| permissions: | ||
| contents: read | ||
|
|
||
| # This workflow is mandatory in all applications | ||
| # It calls a reusable workflow guidelines_enforcer developed by Ledger's internal developer team. |
| name: Build application using the reusable workflow | ||
| uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_build.yml@v1 | ||
| with: | ||
| upload_app_binaries_artifact: "compiled_app_bindaries" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 months ago
To resolve this issue, we need to add a permissions block to the workflow, preferably at the root level, just under the workflow name entry and before the on entry. This will ensure all jobs in this workflow receive only the minimal permissions necessary. Based on the recommend minimal starting point for most workflows that build and upload artifacts, we should set contents: read. If further permissions are required (such as to create pull requests, manage issues, or deploy to other environments), these should be added, but based on the provided code context (building app binaries), only contents: read is likely needed at this level. The change is a single addition of a permissions block as described.
| @@ -1,5 +1,7 @@ | ||
| --- | ||
| name: Release build | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: |
5 participants
No description provided.