main 브렌치 최신화 #13
main 브렌치 최신화 #13
Conversation
Feat/#1 공장 자재 관련 기본 api 구현
Dev브랜치를 업데이트합니다
[FIX] 공장 서비스 api 경로 변경
[FIX] 스웨거 설정 수정
[FIX] 자재, 자재 카테고리 엔티티 읽기 전용으로 수정
[FEAT] 공장 생성 api 구현
Spm 36 BOM 관련 api 구현
Spm 111 자재 검색 및 자재 주문 취소, 삭제, 상세 조회 기능 구현
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| uses: 33-Auto/.github/.github/workflows/reusable-pr-reminder.yml@main | ||
| secrets: | ||
| # 해당 시크릿은 조직의 시크릿에 저장되어 있음 | ||
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | ||
| with: | ||
| SLACK_USER_MAP: ${{ vars.SLACK_USER_MAP }} No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the problem:
- Explicitly add a
permissionsblock either at the workflow root level, which applies to all jobs unless they override it, or to the specific job if requirements differ by job. - The root-level block is most effective for this workflow, since only a single job exists and there is no indication that more jobs will be added.
- Set the permissions to the minimum level needed. For most scheduled notification workflows,
contents: readis sufficient unless pull request or issues write access is demonstrably required. If, in inspection, we find that SLACK integration is handled outside the repository,contents: readwill suffice. - Edit
.github/workflows/pr-reminder.ymlby adding:just after thepermissions: contents: read
namedeclaration and before theonblock.
| @@ -1,4 +1,6 @@ | ||
| name: PR Reminder | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| schedule: |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the ✨ Finishing touches🧪 Generate unit tests (beta)
Comment |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Trigger infra repo deploy workflow | ||
| uses: peter-evans/repository-dispatch@v3 | ||
| with: | ||
| token: ${{ secrets.ORGANIZATION_TOKEN }} | ||
| # [중요] 아래 repository 값은 모든 앱이 공유하는 '중앙 인프라 리포지토리' 주소이다. | ||
| repository: 33-Auto/Sampoom-Management-Backend-Infra | ||
| event-type: deploy | ||
| # 'Sampoom-Management-Backend-Part'은 스크립트가 동적으로 치환할 자리표시자(placeholder)이다. | ||
| client-payload: '{"service":"Sampoom-Management-Backend-Part","branch":"main"}' No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the problem, explicitly set the permissions: key for the workflow. Since the only built-in action is one that uses a repository dispatch (via a user-provided token), the job does not actually require any permissions granted to the default GITHUB_TOKEN. Therefore, we can safely set the permissions to none at the workflow or job level, following the principle of least privilege. The best and most future-proof way is to add permissions: {} at the workflow root level, so all jobs inherit the most restrictive permissions unless they specifically need more.
How to fix:
- Add
permissions: {}(equivalent to no permissions for GITHUB_TOKEN) at the root of the workflow, preferably after thenamefield and beforeon:for clarity. - No other code changes or dependency additions required.
| @@ -1,4 +1,5 @@ | ||
| name: Trigger Infra CD | ||
| permissions: {} | ||
|
|
||
| on: | ||
| push: |
CHOOSLA
requested review from
CHOOSLA,
Lee-Jong-Jin,
Sangyoon98,
vivivim and
yangjiseonn
5 participants
📝 Summary
main 브렌치 최신화
🙏 Question & PR point
📬 Reference