wip #3800
wip #3800
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| uses: huggingface/doc-builder/.github/workflows/build_pr_documentation.yml@llms-txt | ||
| with: | ||
| commit_sha: ${{ github.event.pull_request.head.sha }} | ||
| pr_number: ${{ github.event.number }} | ||
| package: accelerate | ||
| custom_container: huggingface/transformers-doc-builder | ||
| doc_builder_revision: llms-txt |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 14 days ago
To fix the problem, we should explicitly set the permissions key in the workflow file. To minimize privilege escalation risks, set permissions to read-all (or more strictly, explicitly enumerate only those access categories required, but without documentation of needs for the imported workflow, contents: read is usually the safest, minimally disruptive setting). This setting can be applied at the workflow root (top of the file, affects all jobs) or at the specific job invocation; for clarity and safety, we recommend setting it at the workflow root unless a job has special needs. For this file, add the following at line 2 (after name:):
permissions:
contents: readThis restricts the GitHub Actions GITHUB_TOKEN to have only read access to repository contents during workflow runs.
No extra imports, method or variable definitions are needed for a YAML workflow file.
| @@ -1,4 +1,6 @@ | ||
| name: Build PR Documentation | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: |
|
The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update. |
2 participants
No description provided.