Skip to content

ci: trigger dune upload#301

Merged
Xeonus merged 2 commits intobiweekly-runsfrom
ci/trigger-dune-upload
Mar 3, 2026
Merged

ci: trigger dune upload#301
Xeonus merged 2 commits intobiweekly-runsfrom
ci/trigger-dune-upload

Conversation

@gosuto-inzasheru
Copy link
Contributor

@gosuto-inzasheru gosuto-inzasheru commented Feb 27, 2026

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 27, 2026
View reviewed changes
.github/workflows/trigger_dune_upload.yaml Fixed
Comment on lines +12 to +20
runs-on: ubuntu-latest

steps:
- name: Trigger dune revenue upload
run: |
gh api repos/${{ secrets.DUNE_UPLOAD_REPO }}/dispatches \
-f event_type=recon-updated
env:
GH_TOKEN: ${{ secrets.DUNE_UPLOAD_TOKEN }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 10 days ago

In general, the fix is to add an explicit permissions block to the workflow or to individual jobs, restricting the GITHUB_TOKEN to the minimum required scopes. This prevents the job from inheriting broad default permissions and documents the intended access level.

For this specific workflow, the dispatch job only invokes gh api using a separate GH_TOKEN from secrets.DUNE_UPLOAD_TOKEN and does not reference GITHUB_TOKEN. The minimal, non-breaking change is to add a job-level permissions block under jobs.dispatch that limits GITHUB_TOKEN to read-only repository contents. A safe common baseline is:

permissions:
  contents: read

This should be inserted directly under jobs.dispatch: (around current line 12) and indented to align with runs-on:. No additional imports or methods are needed, since this is purely a workflow configuration change.

Suggested changeset 1
.github/workflows/trigger_dune_upload.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/trigger_dune_upload.yaml b/.github/workflows/trigger_dune_upload.yaml
--- a/.github/workflows/trigger_dune_upload.yaml
+++ b/.github/workflows/trigger_dune_upload.yaml
@@ -9,6 +9,8 @@
 
 jobs:
   dispatch:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
 
     steps:
EOF
@@ -9,6 +9,8 @@

jobs:
dispatch:
permissions:
contents: read
runs-on: ubuntu-latest

steps:
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Copy link
Contributor

@Xeonus Xeonus Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe just add read perms?

Xeonus
Xeonus requested changes Feb 27, 2026
View reviewed changes
Copy link
Contributor

@Xeonus Xeonus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worth adding read perms to action?

.github/workflows/trigger_dune_upload.yaml Fixed
Comment on lines +12 to +20
runs-on: ubuntu-latest

steps:
- name: Trigger dune revenue upload
run: |
gh api repos/${{ secrets.DUNE_UPLOAD_REPO }}/dispatches \
-f event_type=recon-updated
env:
GH_TOKEN: ${{ secrets.DUNE_UPLOAD_TOKEN }}
Copy link
Contributor

@Xeonus Xeonus Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe just add read perms?

@gosuto-inzasheru
Copy link
Contributor Author

gosuto-inzasheru commented Mar 2, 2026

@Xeonus why? this only triggers and afaiu doesnt even require read perms

there is however an empty perms block to make this explicit: 4939f6a

Xeonus
Xeonus approved these changes Mar 3, 2026
View reviewed changes
Copy link
Contributor

@Xeonus Xeonus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM now, no read perms needed but empty block for best practice / get rid of GH warning

@Xeonus Xeonus merged commit f585062 into biweekly-runs Mar 3, 2026
4 checks passed
@Xeonus Xeonus deleted the ci/trigger-dune-upload branch March 3, 2026 08:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Xeonus Xeonus Xeonus approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gosuto-inzasheru @Xeonus