Skip to content

Add GitHub repository security configuration#1

Merged
inflop merged 1 commit intomasterfrom
claude/github-nuget-setup-RTmIJ
Apr 21, 2026
Merged

Add GitHub repository security configuration#1
inflop merged 1 commit intomasterfrom
claude/github-nuget-setup-RTmIJ

Conversation

@inflop
Copy link
Copy Markdown
Owner

@inflop inflop commented Apr 21, 2026

  • Add explicit permissions: contents: read to ci.yml (principle of least privilege)
  • Add environment: nuget to publish job (enables manual approval gate)
  • Add dependabot.yml for weekly NuGet and GitHub Actions updates
  • Add CodeQL workflow for free static analysis on public repos

https://claude.ai/code/session_01RvKpgbtBTikomHFriFx2dA

@claude
Add GitHub repository security configuration
1ff8887 
- Add explicit permissions: contents: read to ci.yml (principle of least privilege)
- Add environment: nuget to publish job (enables manual approval gate)
- Add dependabot.yml for weekly NuGet and GitHub Actions updates
- Add CodeQL workflow for free static analysis on public repos

https://claude.ai/code/session_01RvKpgbtBTikomHFriFx2dA
Copilot AI review requested due to automatic review settings April 21, 2026 17:48
Copilot AI reviewed Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds baseline GitHub repository security automation/configuration for this .NET library repo, focusing on least-privilege CI permissions, controlled NuGet publishing, dependency update automation, and CodeQL scanning.

Changes:

  • Restricts CI workflow token permissions to contents: read.
  • Adds a nuget environment gate to the NuGet publish job.
  • Introduces Dependabot configuration for weekly NuGet + GitHub Actions updates.
  • Adds a CodeQL workflow for scheduled and PR/branch scanning.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/publish.yml Adds environment: nuget to enable an approval gate for publishing.
.github/workflows/codeql.yml Introduces CodeQL scanning workflow for C#/.NET builds.
.github/workflows/ci.yml Adds explicit workflow permissions (contents: read) for least privilege.
.github/dependabot.yml Configures weekly dependency updates for NuGet projects and GitHub Actions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/codeql.yml
schedule:
- cron: '0 6 * * 1'

permissions:
Copy link

Copilot AI Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CodeQL workflow is missing actions: read in the top-level permissions. GitHub’s recommended minimal permissions for code scanning include actions: read, and without it the CodeQL action/SARIF upload can fail in hardened-permissions setups. Add actions: read alongside contents: read and security-events: write.

Suggested change
permissions:
permissions:
actions: read

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/codeql.yml
with:
languages: csharp

- run: dotnet build src/Inflop.VatSharp/Inflop.VatSharp.csproj --configuration Release
Copy link

Copilot AI Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The build step compiles only src/Inflop.VatSharp/Inflop.VatSharp.csproj, but the repository solution (src/Inflop.VatSharp.slnx) also includes the test project. Building the solution instead will ensure CodeQL extracts/analyses all C# code in the repo and catches compilation issues across projects.

Suggested change
- run: dotnet build src/Inflop.VatSharp/Inflop.VatSharp.csproj --configuration Release
- run: dotnet build src/Inflop.VatSharp.slnx --configuration Release

Copilot uses AI. Check for mistakes.
@inflop inflop merged commit fee6d44 into master Apr 21, 2026
1 check passed
@inflop inflop deleted the claude/github-nuget-setup-RTmIJ branch April 21, 2026 18:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@inflop @claude