Potential fix for code scanning alert no. 3: Workflow does not contain permissions#257
Merged
Conversation
…n permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
ChristianPavilonis
approved these changes
Feb 9, 2026
aram356
added a commit
that referenced
this pull request
Jun 22, 2026
* Sync EdgeZero PR 257 updates * Formatting * Sync integration-tests lockfile to edgezero 170b74b and fastly 0.11 * Track edgezero main and align fastly to 0.12 Point the edgezero dependencies at the upstream main branch and bump fastly/log-fastly to 0.12 to match edgezero's pinned version. Forward-port the body and TLS APIs to the newer surface: - Body::into_bytes() now returns Option<Bytes>; buffered-body call sites use unwrap_or_default() to preserve prior semantics. - fastly 0.12 get_tls_protocol()/get_tls_cipher_openssl_name() return Result<Option<&str>>; adapter call sites use .ok().flatten(). Resync the excluded integration-tests lockfile to the same versions. * Fix OpenRTB regeneration command in README The wrapper script lives at crates/trusted-server-openrtb/generate.sh, not in the codegen crate. Point the example at the actual script path. * Address review feedback: doc entrypoint shape and crate-rename helper paths Apply the approving review's inline doc suggestions and the crate-rename cleanup: - integration-guide: describe directory-based entrypoint discovery (src/integrations/<id>/index.ts) instead of arbitrary .ts files, and point the Testlight key file at testlight/index.ts. - creative-processing: fix the generated bundle output directory to crates/trusted-server-js/dist (not lib/dist). - .claude helper commands/agents: replace remaining crates/js references with crates/trusted-server-js so local/agent verification helpers keep working after the crate rename. * Pin integration-tests log to 0.4.32 to match workspace lockfile The Integration Tests CI job runs scripts/check-integration-dependency-versions.sh, which requires the excluded trusted-server-integration-tests crate to resolve the same shared direct-dependency versions as the workspace. Regenerating its lockfile during the EdgeZero sync picked up log 0.4.33 while the workspace stays on 0.4.32. Downgrade log in the integration lockfile so the parity check passes. * Fix EdgeZero integration test paths after crate rename The EdgeZero entry-point step in integration-tests.yml still pointed at the pre-rename crates/integration-tests path for both --manifest-path and VICEROY_CONFIG_PATH, so the job failed with 'manifest path does not exist'. Point them at crates/trusted-server-integration-tests to match the rename (the legacy integration-tests job already used the new path). * Align toml dependency requirement with main (1.1) The merge resolution kept this branch's looser toml = "1.0" requirement; main uses "1.1". Both resolve to the same locked 1.1.x, so the lockfile is unchanged, but match main to avoid widening the version range. * Align integration-tests transitive deps with the workspace lockfile The integration-tests lockfile was regenerated fresh during the EdgeZero sync and picked up newer patch/minor versions of crates that also resolve through trusted-server-core (http, bytes, uuid, lol_html, config, brotli, chrono, regex, time, etc.), so the tests linked slightly different versions than the production build ships. Pin those shared transitive crates back to the workspace-resolved versions (45 crates aligned). Six remain newer (js-sys, num-conv, wasm-bindgen family) because the integration crate's own dependency tree constrains them to a higher version; those cannot be downgraded without breaking resolution. The CI direct-dependency parity check still passes and the crate compiles --locked on the host target. * Enforce transitive dependency parity for integration-tests lockfile Extend check-integration-dependency-versions.sh with a lockfile-based transitive parity check: every (name, version) the workspace lockfile resolves must also be present in the integration lockfile for any shared crate, so the integration tests exercise the same dependency versions the production build ships. This catches accidental drift when the integration lockfile is regenerated and silently bumps shared crates to newer versions than production uses (the failure mode that produced the original log/http drift during the EdgeZero sync). A small documented allowlist exempts crates the integration crate's own dependency tree forces to a different version (js-sys / wasm-bindgen family and num-conv, pulled newer by reqwest's wasm tooling; itertools, whose workspace 0.10.x line the integration tree never resolves). Also align four more shared transitives that were previously skipped as multi-version (bitflags, getrandom, hashbrown, syn) down to the workspace versions, so the enforced allowlist stays minimal. The check is parsed directly from the lockfiles (no cargo invocation), and a negative test confirms it flags an injected http drift and passes after restore.
prk-Jr
added a commit
that referenced
this pull request
Jun 23, 2026
Resolve conflicts from the EdgeZero PR #257 sync on main (#761): - Cargo.toml: adopt main's crate renames, fastly/log-fastly 0.12, and edgezero tracking the upstream main branch; keep the branch's glob dep. - publisher.rs: keep both sides' new tests; forward-port test body extraction to the Option-returning Body::into_bytes API and drop the now-unused response_body_string helper superseded by the branch tests. - auction/endpoints.rs: unwrap_or_default the Option-returning into_bytes. - Relocate the new GPT SPA tests into the renamed crates/trusted-server-js tree and refresh stale crates/js doc-comment paths. - Take main's CI-validated integration-tests lockfile (deps unchanged on the branch).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Potential fix for https://github.com/IABTechLab/trusted-server/security/code-scanning/3
In general, the fix is to explicitly restrict the
GITHUB_TOKENin this workflow to the minimal permissions required. Since all the jobs only need to read the repository contents (for checkout, dependency resolution, and running tools) and do not write back to GitHub, we can safely declarecontents: readat the top level of the workflow. Definingpermissionsat the workflow root applies to all jobs that don't have their ownpermissionsblock, which matches this file.Concretely, edit
.github/workflows/format.ymlto add apermissionsblock near the top, alongsidenameandon. For example, add:between the
nameandonkeys. No additional methods, imports, or steps are required; this only changes the token scope that GitHub automatically injects, without altering the existing job behavior.Suggested fixes powered by Copilot Autofix. Review carefully before merging.