Skip to content

vast#3

Open
KercX wants to merge 15 commits intojavafrom
main
Open

vast#3
KercX wants to merge 15 commits intojavafrom
main

Conversation

@KercX
Copy link
Owner

@KercX KercX commented Mar 26, 2026

No description provided.

@netlify
Copy link

netlify bot commented Mar 26, 2026
edited
Loading

Deploy Preview for javabooksdocs failed.

Name Link
🔨 Latest commit e593260
🔍 Latest deploy log https://app.netlify.com/projects/javabooksdocs/deploys/69c69c23a71d240008f05732

@KercX KercX temporarily deployed to github-pages March 26, 2026 16:11 — with GitHub Pages Inactive
@github-advanced-security
Copy link

github-advanced-security bot commented Mar 26, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@KercX KercX temporarily deployed to github-pages March 26, 2026 16:13 — with GitHub Pages Inactive
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 26, 2026
View reviewed changes
.github/workflows/android.yml
Comment on lines +12 to +26
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
- name: set up JDK 11
uses: actions/setup-java@v4
with:
java-version: '11'
distribution: 'temurin'
cache: gradle

- name: Grant execute permission for gradlew
run: chmod +x gradlew
- name: Build with Gradle
run: ./gradlew build

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 23 hours ago

To fix the problem, add an explicit permissions block that grants only the minimum required scopes to the GITHUB_TOKEN. Since this workflow checks out code and runs Gradle locally, contents: read is sufficient and matches the recommendation.

The best way to fix this without changing existing functionality is to add permissions: contents: read at the job level under build: (so it applies only to this job) or at the workflow root. Because CodeQL highlighted the job’s runs-on line, we will set the permissions for that specific job. Concretely, edit .github/workflows/android.yml and insert a permissions: section between build: and runs-on: ubuntu-latest, with two-space indentation under build: and four-space indentation for contents: read.

No additional methods, imports, or definitions are needed—this is purely a declarative change in the workflow YAML.

Suggested changeset 1
.github/workflows/android.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml
--- a/.github/workflows/android.yml
+++ b/.github/workflows/android.yml
@@ -8,7 +8,8 @@
 
 jobs:
   build:
-
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
 
     steps:
EOF
@@ -8,7 +8,8 @@

jobs:
build:

permissions:
contents: read
runs-on: ubuntu-latest

steps:
Copilot is powered by AI and may make mistakes. Always verify output.
@KercX KercX temporarily deployed to github-pages March 26, 2026 16:19 — with GitHub Pages Inactive
@KercX KercX temporarily deployed to github-pages March 26, 2026 19:36 — with GitHub Pages Inactive
@KercX KercX temporarily deployed to github-pages March 26, 2026 19:37 — with GitHub Pages Inactive
@KercX KercX temporarily deployed to github-pages March 26, 2026 19:41 — with GitHub Pages Inactive
@KercX KercX temporarily deployed to github-pages March 26, 2026 19:42 — with GitHub Pages Inactive
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 27, 2026
View reviewed changes
.github/workflows/azure-functions-app-java.yml
Comment on lines +33 to +65
runs-on: windows-latest # For Linux, use ubuntu-latest
environment: dev
steps:
- name: 'Checkout GitHub Action'
uses: actions/checkout@v4

# If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below
# - name: 'Login via Azure CLI'
# uses: azure/login@v1
# with:
# creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository

- name: Setup Java Sdk ${{ env.JAVA_VERSION }}
uses: actions/setup-java@v4
with:
distribution: ${{ env.DISTRIBUTION }}
java-version: ${{ env.JAVA_VERSION }}

- name: 'Restore Project Dependencies Using Mvn'
shell: pwsh # For Linux, use bash
run: |
pushd './${{ env.POM_XML_DIRECTORY }}'
mvn clean package
popd

- name: 'Run Azure Functions Action'
uses: Azure/functions-action@v1
id: fa
with:
app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }}
package: '${{ env.POM_XML_DIRECTORY }}' # if there are multiple function apps in same project, then this path will be like './${{ env.POM_XML_DIRECTORY }}/target/azure-functions/${{ env.POM_FUNCTIONAPP_NAME }'
publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC
respect-pom-xml: true

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 1 minute ago

In general, the fix is to explicitly declare a permissions block in the workflow (either at the root or for the specific job) that grants only the minimal permissions needed. For this workflow, the steps only require read access to the repository contents to allow actions/checkout to work; no other GitHub API write operations are used. Therefore, we can safely set contents: read as the workflow or job permission.

The single best fix with no behavioral change is to add a root‑level permissions block under the name (and before on:) so that it applies to all jobs. This will make the GITHUB_TOKEN read‑only for repository contents, which is sufficient for checkout and does not interfere with deployment to Azure (which uses AZURE_FUNCTIONAPP_PUBLISH_PROFILE). Concretely, in .github/workflows/azure-functions-app-java.yml, insert:

permissions:
  contents: read

after line 19 (name: Deploy Java project to Azure Function App) and before line 21 (on:). No additional imports, methods, or definitions are needed because this is purely a workflow configuration change.

Suggested changeset 1
.github/workflows/azure-functions-app-java.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/azure-functions-app-java.yml b/.github/workflows/azure-functions-app-java.yml
--- a/.github/workflows/azure-functions-app-java.yml
+++ b/.github/workflows/azure-functions-app-java.yml
@@ -18,6 +18,9 @@
 
 name: Deploy Java project to Azure Function App
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: ["main"]
EOF
@@ -18,6 +18,9 @@

name: Deploy Java project to Azure Function App

permissions:
contents: read

on:
push:
branches: ["main"]
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@KercX