From 7c38d701ad2f5fc19e06c477a398e7d4e99c28e5 Mon Sep 17 00:00:00 2001 From: Duco Sebel <74970928+DCSBL@users.noreply.github.com> Date: Tue, 24 Mar 2026 16:41:45 +0100 Subject: [PATCH 1/4] Potential fix for code scanning alert no. 2: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Duco Sebel <74970928+DCSBL@users.noreply.github.com> --- .github/workflows/firebase-hosting-pull-request.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/firebase-hosting-pull-request.yml b/.github/workflows/firebase-hosting-pull-request.yml index 1c4b6e9..87a83d3 100644 --- a/.github/workflows/firebase-hosting-pull-request.yml +++ b/.github/workflows/firebase-hosting-pull-request.yml @@ -1,4 +1,6 @@ name: Deploy preview on pull request +permissions: + contents: read on: pull_request jobs: build_and_preview: From a6a29b7a491ba7782a97b9376bf0a7eb273dea90 Mon Sep 17 00:00:00 2001 From: Duco Sebel <74970928+DCSBL@users.noreply.github.com> Date: Tue, 24 Mar 2026 16:42:39 +0100 Subject: [PATCH 2/4] Potential fix for code scanning alert no. 4: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Duco Sebel <74970928+DCSBL@users.noreply.github.com> --- .github/workflows/firebase-hosting-merge.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/firebase-hosting-merge.yml b/.github/workflows/firebase-hosting-merge.yml index cebde40..e1e757e 100644 --- a/.github/workflows/firebase-hosting-merge.yml +++ b/.github/workflows/firebase-hosting-merge.yml @@ -6,6 +6,8 @@ on: jobs: build_and_deploy: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v6 - uses: actions/setup-node@v6 From 99dc76b4b9cd85d7cf73c68d69096c53f72f2b4b Mon Sep 17 00:00:00 2001 From: Duco Sebel <74970928+DCSBL@users.noreply.github.com> Date: Tue, 24 Mar 2026 16:43:41 +0100 Subject: [PATCH 3/4] Update permissions in firebase-hosting-merge.yml Signed-off-by: Duco Sebel <74970928+DCSBL@users.noreply.github.com> --- .github/workflows/firebase-hosting-merge.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/firebase-hosting-merge.yml b/.github/workflows/firebase-hosting-merge.yml index e1e757e..c8e352f 100644 --- a/.github/workflows/firebase-hosting-merge.yml +++ b/.github/workflows/firebase-hosting-merge.yml @@ -3,11 +3,13 @@ on: push: branches: - main + +permissions: + contents: read + jobs: build_and_deploy: runs-on: ubuntu-latest - permissions: - contents: read steps: - uses: actions/checkout@v6 - uses: actions/setup-node@v6 From 57d04c7065f3cf7bf078b4c38651f4211e38305c Mon Sep 17 00:00:00 2001 From: Duco Sebel <74970928+DCSBL@users.noreply.github.com> Date: Tue, 24 Mar 2026 16:44:03 +0100 Subject: [PATCH 4/4] Update Firebase hosting workflow for pull requests Signed-off-by: Duco Sebel <74970928+DCSBL@users.noreply.github.com> --- .github/workflows/firebase-hosting-pull-request.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/firebase-hosting-pull-request.yml b/.github/workflows/firebase-hosting-pull-request.yml index 87a83d3..3cc3112 100644 --- a/.github/workflows/firebase-hosting-pull-request.yml +++ b/.github/workflows/firebase-hosting-pull-request.yml @@ -1,7 +1,10 @@ name: Deploy preview on pull request + +on: pull_request + permissions: contents: read -on: pull_request + jobs: build_and_preview: if: '${{ github.event.pull_request.head.repo.full_name == github.repository }}'