Add sync to board workflow #182
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: "20" | ||
|
|
||
| - run: npm install @octokit/rest | ||
|
|
||
| - run: node simple-sync.js | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.PROJECT_TOKEN }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix this issue, add an explicit permissions block to the job or at the workflow root specifying the minimal privileges required. Since there are no obvious write actions in the provided workflow (it checks out code, sets up Node.js, installs a package, and runs a script with a token), the minimal recommended starting point from CodeQL is contents: read. To implement the fix, insert a line 'permissions:\n contents: read\n' under the sync job (i.e., below runs-on: ubuntu-latest) in .github/workflows/mdn-contributor-board.yml. This change restricts the job's GITHUB_TOKEN to read-only access to repository contents, mitigating possible privilege escalation risks.
| @@ -8,6 +8,8 @@ | ||
| jobs: | ||
| sync: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
|
Note that project workflows can be duplicated: 
However, given the number of repos, I would recommend letting triagebot handle it. Triagebot can also maintain "Created at" / "Updated at" columns. |
2 participants
Description
Added workflow to add issues to the MDN contributor board.
Motivation
Deliver
good-first-issues,accepting PR, andhelp wantedlabelled issues in one board for new contributors.