Conversation
This should improve DX somewhat by providing a prebuilt environment for katsu
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v5 | ||
| - name: Login to Docker Hub | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ github.repository_owner }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| registry: ghcr.io | ||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v3 | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
| - name: Build and push | ||
| uses: docker/build-push-action@v6 | ||
| with: | ||
| context: . | ||
| dockerfile: builder.Dockerfile | ||
| push: true | ||
| tags: ghcr.io/ultramarine-linux/katsu:latest |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, add a permissions: block either at the root of the workflow (applies to all jobs) or specifically to the docker job, assigning the minimal permissions necessary. For this workflow, the minimum is contents: read. If pushing to the GitHub Container Registry using GITHUB_TOKEN is required, adding packages: write would also be prudent, as that permission controls publishing container images. Insert this block above the jobs: key at the top level, or within the specific job definition. The best location is at the root of the workflow for clarity and because there is only one job, which keeps the file maintainable and follows best practice.
This change requires adding:
permissions:
contents: read
packages: writeafter the workflow name (line 1), or before the jobs: key (line 5).
| @@ -2,6 +2,9 @@ | ||
|
|
||
| on: [push] | ||
|
|
||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| jobs: | ||
| docker: | ||
| runs-on: ubuntu-latest |
| - name: Checkout | ||
| uses: actions/checkout@v5 | ||
| - name: Login to Docker Hub | ||
| uses: docker/login-action@v3 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| registry: ghcr.io | ||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v3 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v3 | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
| - name: Build and push | ||
| uses: docker/build-push-action@v6 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
Merge into 43 |
|
rendered redundant by katsu's OCI image artifacts used in CI |
3 participants
This should improve DX somewhat by providing a prebuilt environment for katsu