Macos repr exp #180
Macos repr exp #180
Conversation
* Add reproducible builds verification workflow and update related scripts * Enhance reproducibility verification workflow for Windows and macOS builds * Update Nix installation action to version 31 in reproducible builds workflow * Enhance reproducibility verification by adding platform matrix support and updating hash verification logic * Refactor output messages in reproducibility scripts for consistency and clarity * Update hash values for reproducible builds across platforms * Update build hash verification by excluding non-build-affecting files from source * Update hash values for aarch64, arm, riscv, and win64 platforms in reproducible builds documentation * Refactor hash verification jobs for reproducible builds to separate Linux/Windows and macOS documentation checks * Update hash values for x86_64 and arm64 platforms in reproducible builds documentation * Update reproducible builds workflow to trigger on pull requests and ensure jobs only run for non-draft PRs * Refactor reproducible builds documentation for clarity and conciseness * Refactor reproducible builds workflow to simplify build steps * Update available targets in flake.nix to remove unsupported macOS platforms for Linux builds * Refactor reproducible builds workflow by removing Linux verification job and consolidating hash verification steps for Linux and macOS
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Verify Reproducible Builds (Linux/Windows) | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| platform: | ||
| - x86_64-linux-gnu | ||
| - aarch64-linux-gnu | ||
| - win64 | ||
|
|
||
| steps: | ||
| - name: Collect Workflow Telemetry | ||
| uses: catchpoint/workflow-telemetry-action@v2 | ||
| with: | ||
| comment_on_pr: false | ||
|
|
||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Install Nix | ||
| uses: cachix/install-nix-action@v31 | ||
| with: | ||
| extra_nix_config: | | ||
| experimental-features = nix-command flakes | ||
|
|
||
| - name: Setup Cachix (optional binary cache) | ||
| uses: cachix/cachix-action@v13 | ||
| with: | ||
| name: clementine-cli | ||
| skipPush: true | ||
| continue-on-error: true | ||
|
|
||
| - name: Build ${{ matrix.platform }} (first time) | ||
| run: | | ||
| echo "Building for ${{ matrix.platform }}..." | ||
| nix build .#${{ matrix.platform }} | ||
| echo "First build complete" | ||
|
|
||
| - name: Calculate first build hash | ||
| id: hash1 | ||
| run: | | ||
| HASH=$(nix hash path ./result) | ||
| echo "hash=$HASH" >> $GITHUB_OUTPUT | ||
| echo "First build hash: $HASH" | ||
|
|
||
| - name: Remove build result | ||
| run: rm -rf result | ||
|
|
||
| - name: Build ${{ matrix.platform }} (second time) | ||
| run: | | ||
| echo "Rebuilding for ${{ matrix.platform }}..." | ||
| nix build .#${{ matrix.platform }} | ||
| echo "Second build complete" | ||
|
|
||
| - name: Calculate second build hash | ||
| id: hash2 | ||
| run: | | ||
| HASH=$(nix hash path ./result) | ||
| echo "hash=$HASH" >> $GITHUB_OUTPUT | ||
| echo "Second build hash: $HASH" | ||
|
|
||
| - name: Verify reproducibility | ||
| run: | | ||
| HASH1="${{ steps.hash1.outputs.hash }}" | ||
| HASH2="${{ steps.hash2.outputs.hash }}" | ||
|
|
||
| echo "Comparing hashes for ${{ matrix.platform }}:" | ||
| echo " First build: $HASH1" | ||
| echo " Second build: $HASH2" | ||
|
|
||
| if [ "$HASH1" = "$HASH2" ]; then | ||
| echo "OK: Build is reproducible! Hashes match." | ||
| exit 0 | ||
| else | ||
| echo "ERROR: Build is NOT reproducible! Hashes differ." | ||
| exit 1 | ||
| fi | ||
|
|
||
| - name: Upload binary artifact | ||
| if: success() | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: clementine-cli-${{ matrix.platform }} | ||
| path: result/bin/* | ||
| retention-days: 7 | ||
|
|
||
| verify-reproducibility-windows: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
To fix the issue, you should add a permissions section restricting the privileges of the workflow's GITHUB_TOKEN. The best way is to set permissions at the workflow root so all jobs inherit the least privileges, unless a job requires greater permissions (which you can then override). Based on the workflow steps shown, the only likely requirement is read-only access to contents (pulling code, uploading artifacts, etc. does not require write permissions to repository content). Specifically, add the following block after the workflow name and before on::
permissions:
contents: readNo additional methods, libraries, or other changes are required.
| @@ -1,4 +1,6 @@ | ||
| name: Reproducible Builds Verification | ||
| permissions: | ||
| contents: read | ||
|
|
||
| # Platform coverage: | ||
| # - Linux: x86_64, ARM64 (aarch64), Windows cross-compile (via Nix) |
| name: Verify Reproducible Windows Build | ||
| runs-on: windows-latest | ||
|
|
||
| steps: | ||
| - name: Collect Workflow Telemetry | ||
| uses: catchpoint/workflow-telemetry-action@v2 | ||
| with: | ||
| comment_on_pr: false | ||
|
|
||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Install Rust toolchain | ||
| uses: actions-rust-lang/setup-rust-toolchain@v1 | ||
| with: | ||
| toolchain: "1.89.0" | ||
| components: rustfmt, rust-src | ||
|
|
||
| - name: Build (first time) | ||
| shell: bash | ||
| env: | ||
| SOURCE_DATE_EPOCH: "1" | ||
| RUSTFLAGS: "-C debuginfo=0 -C opt-level=3 -C codegen-units=1 -C strip=none -C link-arg=/PDBALTPATH:clementine-cli.pdb -C link-arg=/Brepro" | ||
| run: | | ||
| echo "Building for Windows native (x86_64-pc-windows-msvc) with reproducible settings..." | ||
| cargo build --release | ||
| echo "First build complete" | ||
|
|
||
| - name: Calculate first build hash | ||
| id: hash1 | ||
| shell: bash | ||
| run: | | ||
| HASH=$(sha256sum target/release/clementine-cli.exe | awk '{print $1}') | ||
| echo "hash=$HASH" >> $GITHUB_OUTPUT | ||
| echo "First build hash: $HASH" | ||
|
|
||
| - name: Clean build artifacts | ||
| run: cargo clean | ||
|
|
||
| - name: Build (second time) | ||
| shell: bash | ||
| env: | ||
| SOURCE_DATE_EPOCH: "1" | ||
| RUSTFLAGS: "-C debuginfo=0 -C opt-level=3 -C codegen-units=1 -C strip=none -C link-arg=/PDBALTPATH:clementine-cli.pdb -C link-arg=/Brepro" | ||
| run: | | ||
| echo "Rebuilding for Windows native with reproducible settings..." | ||
| cargo build --release | ||
| echo "Second build complete" | ||
|
|
||
| - name: Calculate second build hash | ||
| id: hash2 | ||
| shell: bash | ||
| run: | | ||
| HASH=$(sha256sum target/release/clementine-cli.exe | awk '{print $1}') | ||
| echo "hash=$HASH" >> $GITHUB_OUTPUT | ||
| echo "Second build hash: $HASH" | ||
|
|
||
| - name: Verify reproducibility | ||
| shell: bash | ||
| run: | | ||
| HASH1="${{ steps.hash1.outputs.hash }}" | ||
| HASH2="${{ steps.hash2.outputs.hash }}" | ||
|
|
||
| echo "Comparing hashes for Windows native build:" | ||
| echo " First build: $HASH1" | ||
| echo " Second build: $HASH2" | ||
|
|
||
| if [ "$HASH1" = "$HASH2" ]; then | ||
| echo "OK: Native Windows build is reproducible! Hashes match." | ||
| exit 0 | ||
| else | ||
| echo "ERROR: Native Windows build is NOT reproducible! Hashes differ." | ||
| echo "This should not happen with our reproducibility settings." | ||
| exit 1 | ||
| fi | ||
|
|
||
| - name: Upload binary artifact | ||
| if: success() | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: clementine-cli-windows-native | ||
| path: target/release/clementine-cli.exe | ||
| retention-days: 7 | ||
|
|
||
| verify-reproducibility-macos: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
To fix this problem, add an explicit permissions: block for the affected job (or at workflow root if desired). Since none of the build or upload steps require writing to repository contents or managing issues or pull requests, the minimal recommendable setting is contents: read. This ensures the GITHUB_TOKEN used in the workflow does not have unnecessary privileges.
You should add the following block to the verify-reproducibility-windows job definition (starting at line 107):
permissions:
contents: readYou could optionally add further restrictions at the workflow root, but per the CodeQL complaint (which highlights the job at line 107), it's most direct to add it for that job. No further code, imports, or dependencies are needed.
| @@ -106,6 +106,8 @@ | ||
| verify-reproducibility-windows: | ||
| name: Verify Reproducible Windows Build | ||
| runs-on: windows-latest | ||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: Collect Workflow Telemetry |
| name: Verify Reproducible Builds (macOS) | ||
| runs-on: macos-latest | ||
| strategy: | ||
| matrix: | ||
| platform: | ||
| - x86_64-apple-darwin | ||
| - arm64-apple-darwin | ||
|
|
||
| steps: | ||
| - name: Collect Workflow Telemetry | ||
| uses: catchpoint/workflow-telemetry-action@v2 | ||
| with: | ||
| comment_on_pr: false | ||
|
|
||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Install Nix | ||
| uses: cachix/install-nix-action@v31 | ||
| with: | ||
| extra_nix_config: | | ||
| experimental-features = nix-command flakes | ||
|
|
||
| - name: Setup Cachix (optional binary cache) | ||
| uses: cachix/cachix-action@v13 | ||
| with: | ||
| name: clementine-cli | ||
| skipPush: true | ||
| continue-on-error: true | ||
|
|
||
| - name: Build ${{ matrix.platform }} (first time) | ||
| run: | | ||
| echo "Building for ${{ matrix.platform }}..." | ||
| nix build .#${{ matrix.platform }} | ||
| echo "First build complete" | ||
|
|
||
| - name: Calculate first build hash | ||
| id: hash1 | ||
| run: | | ||
| HASH=$(nix hash path ./result) | ||
| echo "hash=$HASH" >> $GITHUB_OUTPUT | ||
| echo "First build hash: $HASH" | ||
|
|
||
| - name: Remove build result | ||
| run: rm -rf result | ||
|
|
||
| - name: Build ${{ matrix.platform }} (second time) | ||
| run: | | ||
| echo "Rebuilding for ${{ matrix.platform }}..." | ||
| nix build .#${{ matrix.platform }} | ||
| echo "Second build complete" | ||
|
|
||
| - name: Calculate second build hash | ||
| id: hash2 | ||
| run: | | ||
| HASH=$(nix hash path ./result) | ||
| echo "hash=$HASH" >> $GITHUB_OUTPUT | ||
| echo "Second build hash: $HASH" | ||
|
|
||
| - name: Verify reproducibility | ||
| run: | | ||
| HASH1="${{ steps.hash1.outputs.hash }}" | ||
| HASH2="${{ steps.hash2.outputs.hash }}" | ||
|
|
||
| echo "Comparing hashes for ${{ matrix.platform }}:" | ||
| echo " First build: $HASH1" | ||
| echo " Second build: $HASH2" | ||
|
|
||
| if [ "$HASH1" = "$HASH2" ]; then | ||
| echo "OK: Build is reproducible! Hashes match." | ||
| exit 0 | ||
| else | ||
| echo "ERROR: Build is NOT reproducible! Hashes differ." | ||
| exit 1 | ||
| fi | ||
|
|
||
| - name: Upload binary artifact | ||
| if: success() | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: clementine-cli-${{ matrix.platform }} | ||
| path: result/bin/* | ||
| retention-days: 7 | ||
|
|
||
| verify-hash-documentation-linux: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
The best way to fix the problem is to add a permissions block to the workflow's root (at the top level, just after the workflow's name but before on:), which sets minimal permissions required for all jobs. Since none of the jobs as written require write access to the repository (they only need to build and upload artifacts), the safest minimal permissions block is contents: read, which will restrict the GITHUB_TOKEN to read-only access to repository contents. If any jobs require additional permissions (such as commenting on a PR), you would add those explicitly to those jobs, but based on the code shown, contents: read is appropriate.
Insert the following block into .github/workflows/reproducible-builds.yml after the name: key and before on:. No new imports or external dependencies are required.
| @@ -1,4 +1,6 @@ | ||
| name: Reproducible Builds Verification | ||
| permissions: | ||
| contents: read | ||
|
|
||
| # Platform coverage: | ||
| # - Linux: x86_64, ARM64 (aarch64), Windows cross-compile (via Nix) |
| name: Verify Documented Hashes (Linux/Windows) | ||
| runs-on: ubuntu-latest | ||
| needs: [verify-reproducibility-linux, verify-reproducibility-windows] | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| platform: | ||
| - x86_64-linux-gnu | ||
| - aarch64-linux-gnu | ||
| - arm-linux-gnueabihf | ||
| - riscv64-linux-gnu | ||
| - win64 | ||
|
|
||
| steps: | ||
| - name: Collect Workflow Telemetry | ||
| uses: catchpoint/workflow-telemetry-action@v2 | ||
| with: | ||
| comment_on_pr: false | ||
|
|
||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Install Nix | ||
| uses: cachix/install-nix-action@v31 | ||
| with: | ||
| extra_nix_config: | | ||
| experimental-features = nix-command flakes | ||
|
|
||
| - name: Build ${{ matrix.platform }} | ||
| run: | | ||
| echo "Building ${{ matrix.platform }} to verify documented hash..." | ||
| nix build .#${{ matrix.platform }} | ||
| echo "Build complete" | ||
|
|
||
| - name: Verify documented hash for ${{ matrix.platform }} | ||
| run: | | ||
| ACTUAL_HASH=$(nix hash path ./result) | ||
|
|
||
| # Extract documented hash from reproducible-builds.md | ||
| # Platform names are in bold (**platform**) in the markdown table | ||
| # Table format: | **platform** | `hash` | | ||
| DOCUMENTED_HASH=$(grep "\*\*${{ matrix.platform }}\*\*" docs/reproducible-builds.md | sed 's/.*`\(sha256-[^`]*\)`.*/\1/') | ||
|
|
||
| echo "Platform: ${{ matrix.platform }}" | ||
| echo "Documented hash: $DOCUMENTED_HASH" | ||
| echo "Actual hash: $ACTUAL_HASH" | ||
| echo "" | ||
|
|
||
| if [ -z "$DOCUMENTED_HASH" ]; then | ||
| echo "ERROR: No documented hash found for ${{ matrix.platform }}" | ||
| echo "Please add the hash to docs/reproducible-builds.md Expected Hashes table:" | ||
| echo " $ACTUAL_HASH" | ||
| exit 1 | ||
| elif [ "$DOCUMENTED_HASH" != "$ACTUAL_HASH" ]; then | ||
| echo "ERROR: Documented hash does not match actual build hash!" | ||
| echo "The hash in docs/reproducible-builds.md is outdated." | ||
| echo "" | ||
| echo "Please update docs/reproducible-builds.md with the new hash:" | ||
| echo " Platform: ${{ matrix.platform }}" | ||
| echo " Old hash: $DOCUMENTED_HASH" | ||
| echo " New hash: $ACTUAL_HASH" | ||
| exit 1 | ||
| else | ||
| echo "OK: Documented hash matches actual build for ${{ matrix.platform }}" | ||
| fi | ||
|
|
||
| verify-hash-documentation-macos: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
To remediate the issue, we should add an explicit permissions block to the flagged job, verify-hash-documentation-linux, within .github/workflows/reproducible-builds.yml. The minimal starting point is contents: read, as per recommended best practice. This ensures that the GITHUB_TOKEN used by this job will only have read access to repository contents, rather than potentially inappropriate write access. The edit should add the following lines immediately below line 275 (the job declaration):
permissions:
contents: readNo dependencies or further code changes are needed. If other jobs in the workflow require similar restrictions, those should also be reviewed, but for now, we only update the flagged job.
| @@ -273,6 +273,8 @@ | ||
|
|
||
| verify-hash-documentation-linux: | ||
| name: Verify Documented Hashes (Linux/Windows) | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
| needs: [verify-reproducibility-linux, verify-reproducibility-windows] | ||
| strategy: |
| name: Verify Documented Hashes (macOS) | ||
| runs-on: macos-latest | ||
| needs: [verify-reproducibility-macos] | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| platform: | ||
| - x86_64-apple-darwin | ||
| - arm64-apple-darwin | ||
|
|
||
| steps: | ||
| - name: Collect Workflow Telemetry | ||
| uses: catchpoint/workflow-telemetry-action@v2 | ||
| with: | ||
| comment_on_pr: false | ||
|
|
||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Install Nix | ||
| uses: cachix/install-nix-action@v31 | ||
| with: | ||
| extra_nix_config: | | ||
| experimental-features = nix-command flakes | ||
|
|
||
| - name: Build ${{ matrix.platform }} | ||
| run: | | ||
| echo "Building ${{ matrix.platform }} to verify documented hash..." | ||
| nix build .#${{ matrix.platform }} | ||
| echo "Build complete" | ||
|
|
||
| - name: Verify documented hash for ${{ matrix.platform }} | ||
| run: | | ||
| ACTUAL_HASH=$(nix hash path ./result) | ||
|
|
||
| # Extract documented hash from reproducible-builds.md | ||
| # Platform names are in bold (**platform**) in the markdown table | ||
| # Table format: | **platform** | `hash` | | ||
| DOCUMENTED_HASH=$(grep "\*\*${{ matrix.platform }}\*\*" docs/reproducible-builds.md | sed 's/.*`\(sha256-[^`]*\)`.*/\1/') | ||
|
|
||
| echo "Platform: ${{ matrix.platform }}" | ||
| echo "Documented hash: $DOCUMENTED_HASH" | ||
| echo "Actual hash: $ACTUAL_HASH" | ||
| echo "" | ||
|
|
||
| if [ -z "$DOCUMENTED_HASH" ]; then | ||
| echo "ERROR: No documented hash found for ${{ matrix.platform }}" | ||
| echo "Please add the hash to docs/reproducible-builds.md Expected Hashes table:" | ||
| echo " $ACTUAL_HASH" | ||
| exit 1 | ||
| elif [ "$DOCUMENTED_HASH" != "$ACTUAL_HASH" ]; then | ||
| echo "ERROR: Documented hash does not match actual build hash!" | ||
| echo "The hash in docs/reproducible-builds.md is outdated." | ||
| echo "" | ||
| echo "Please update docs/reproducible-builds.md with the new hash:" | ||
| echo " Platform: ${{ matrix.platform }}" | ||
| echo " Old hash: $DOCUMENTED_HASH" | ||
| echo " New hash: $ACTUAL_HASH" | ||
| exit 1 | ||
| else | ||
| echo "OK: Documented hash matches actual build for ${{ matrix.platform }}" | ||
| fi | ||
|
|
||
| build-summary: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
The best way to fix this issue is to explicitly specify a permissions: block that grants only the minimum necessary privileges for the affected job(s) or for the entire workflow if possible. Since the jobs in question appear to only need readonly access to repository contents—i.e., to clone the code—they should have contents: read. You can set this at the workflow root if all jobs share these needs, or on specific jobs as needed. Here, since the CodeQL finding is specifically about verify-hash-documentation-macos, it's minimally sufficient to add it on line 341, but to promote consistency and least privilege across all jobs in this workflow, prefer setting at the workflow level (e.g., after the name field and before on:).
To implement, add the following at the top of .github/workflows/reproducible-builds.yml (after the name: and before on:):
permissions:
contents: readNo additional methods, imports, or definitions are needed; this is a declarative YAML configuration change.
| @@ -1,4 +1,6 @@ | ||
| name: Reproducible Builds Verification | ||
| permissions: | ||
| contents: read | ||
|
|
||
| # Platform coverage: | ||
| # - Linux: x86_64, ARM64 (aarch64), Windows cross-compile (via Nix) |
| name: Build Summary | ||
| runs-on: ubuntu-latest | ||
| needs: [verify-reproducibility-linux, verify-reproducibility-windows, verify-reproducibility-macos, verify-hash-documentation-linux, verify-hash-documentation-macos] | ||
| if: always() | ||
|
|
||
| steps: | ||
| - name: Check results | ||
| run: | | ||
| LINUX_RESULT="${{ needs.verify-reproducibility-linux.result }}" | ||
| WINDOWS_RESULT="${{ needs.verify-reproducibility-windows.result }}" | ||
| MACOS_RESULT="${{ needs.verify-reproducibility-macos.result }}" | ||
| DOCS_LINUX_RESULT="${{ needs.verify-hash-documentation-linux.result }}" | ||
| DOCS_MACOS_RESULT="${{ needs.verify-hash-documentation-macos.result }}" | ||
|
|
||
| echo "Build Results Summary:" | ||
| echo " Linux (Nix): $LINUX_RESULT" | ||
| echo " Windows (Nix cross): $LINUX_RESULT (included in Linux job)" | ||
| echo " Windows (native): $WINDOWS_RESULT" | ||
| echo " macOS (Nix): $MACOS_RESULT" | ||
| echo " Documentation hashes (Linux): $DOCS_LINUX_RESULT" | ||
| echo " Documentation hashes (macOS): $DOCS_MACOS_RESULT" | ||
| echo "" | ||
|
|
||
| # All jobs must succeed | ||
| if [ "$LINUX_RESULT" = "success" ] && [ "$WINDOWS_RESULT" = "success" ] && [ "$MACOS_RESULT" = "success" ] && [ "$DOCS_LINUX_RESULT" = "success" ] && [ "$DOCS_MACOS_RESULT" = "success" ]; then | ||
| echo "OK: All verifications passed!" | ||
| echo "" | ||
| echo "Reproducible builds verified (twice each):" | ||
| echo " - Linux (x86_64, ARM64, ARMv7, RISC-V) via Nix" | ||
| echo " - Windows (x86_64 cross-compiled) via Nix" | ||
| echo " - macOS (Intel, Apple Silicon) via Nix" | ||
| echo "" | ||
| echo "Native build verified:" | ||
| echo " - Windows (x86_64-pc-windows-msvc) via cargo" | ||
| echo "" | ||
| echo "Documentation verified:" | ||
| echo " - All platform hashes match docs/reproducible-builds.md" | ||
| exit 0 | ||
| else | ||
| echo "ERROR: Verification failed on one or more checks" | ||
| echo "" | ||
| if [ "$DOCS_LINUX_RESULT" != "success" ] || [ "$DOCS_MACOS_RESULT" != "success" ]; then | ||
| echo " Documentation hash mismatch detected!" | ||
| echo " This means the code/dependencies changed and docs need updating." | ||
| echo " Please update docs/reproducible-builds.md with new hashes." | ||
| echo "" | ||
| fi | ||
| echo "Check the individual job logs for details" | ||
| exit 1 | ||
| fi |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
The best way to fix this issue is to add an explicit permissions block to the workflow, restricting the automatically generated GITHUB_TOKEN's permissions to the minimum required. The CodeQL message provides an empty object (permissions: {}) as a starting point, which is equivalent in YAML to permissions: {} or simply no granted permissions, i.e., all permissions set to none. Since the build-summary job only echoes results and does not interact with the repository or GitHub API, it does not require permissions. Therefore, we should add the following at the root of the workflow, just after the name field (and before any on:/jobs: keys), applying minimal permissions to all jobs in the workflow. If only the build-summary job is affected and others do require permissions, a permissions block can be added specifically to that job instead; however, setting it at the root is safest for this case and future jobs.
Steps to implement:
- Add a new
permissions: {}block immediately under thename: Reproducible Builds Verificationline in.github/workflows/reproducible-builds.yml. - No imports or extra definitions are needed.
| @@ -1,4 +1,5 @@ | ||
| name: Reproducible Builds Verification | ||
| permissions: {} | ||
|
|
||
| # Platform coverage: | ||
| # - Linux: x86_64, ARM64 (aarch64), Windows cross-compile (via Nix) |
No description provided.