Sync develop with master #23
Conversation
V3.0.0 releases to stable branch
fix: Update README file
Merging release latest version to master
* fix: Enable NPM Publishing and S3 artifacts upload * fix: Remove library name from cjs * fix: Added HTML5Tracker as library * fix: Update package version * fix: Update video-core dependency * fix: Update Changelog.md file
* fix: Fixed library name * fix: Updated version and Changelog.md file
* fix: NPM Publish configuration (#16) * fix: Enable NPM Publishing and S3 artifacts upload * fix: Remove library name from cjs * fix: Added HTML5Tracker as library * fix: Update package version * fix: Update video-core dependency * fix: Update Changelog.md file * fix: Update package-lock.json file (#17) * fix: Make Html5Tracker globally available in UMD build (#18) * fix: Fixed library name * fix: Updated version and Changelog.md file
* fix: NPM Publish configuration (#16) * fix: Enable NPM Publishing and S3 artifacts upload * fix: Remove library name from cjs * fix: Added HTML5Tracker as library * fix: Update package version * fix: Update video-core dependency * fix: Update Changelog.md file * fix: Update package-lock.json file (#17) * fix: Make Html5Tracker globally available in UMD build (#18) * fix: Fixed library name * fix: Updated version and Changelog.md file --------- Co-authored-by: rajeevkumar-nr <[email protected]>
…l5-js into stable
sync with Stable
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| uses: newrelic/video-core-js/.github/workflows/npm-publish.yml@stable | ||
| with: | ||
| node-version: 'lts/*' | ||
| s3-path: 'media-agents/browser/html5' | ||
| file-to-upload: 'dist/umd/newrelic-video-html5.min.js' | ||
| secrets: | ||
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
The best way to fix the problem is to add an explicit permissions block specifying the minimum necessary permissions for this workflow. Since the job uses a reusable workflow to publish to npm and upload to S3, it most likely only needs permission for reading repository contents (e.g., contents: read). If additional write permissions are necessary (for example, to create releases or interact with issues or pull requests), these can be individually added. As a conservative minimum starting point, setting contents: read at the root or job level is recommended. The optimal placement (root or job) depends on whether other jobs may be added in the future; since there's only a single job here, either is acceptable, but we'll add it at the root so it's inherited by all jobs.
You only need to add the following lines after the name: block and before the on: key in .github/workflows/use-shared-publish.yml:
permissions:
contents: readNo new imports or method/variable definitions are required—just the new YAML key.
| @@ -1,4 +1,6 @@ | ||
| name: Build and Publish | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: |
No description provided.