Open
Conversation
Dependency ReviewThe following issues were found:
Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. License Issues.github/workflows/keyfactor-starter-workflow.yml
.github/workflows/test-doctool.yml
OpenSSF Scorecard
Scanned Files
|
github-actions
bot
added
documentation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Integration Test Results (K8s v1.29.0)215 tests 215 ✅ 2m 58s ⏱️ Results for commit 4f309a8. ♻️ This comment has been updated with latest results. |
PR Quality Signoff SummarySecurity Checks
Code Quality
PR Standards
Self-Review ChecklistBefore requesting review, please confirm:
DevOps Workflow Reminders
🎉 All automated quality checks passed! Generated by Keyfactor Actions v6 PR Quality Checks |
- Development.md: note net10.0 SDK support, update test counts to ~1337 unit tests, add inspect-jks/inspect-pkcs12 keystore inspection targets - ARCHITECTURE.md: replace removed KeystoreManager with KeystoreOperations in data flow diagrams; add JobCertificateParser to Services layer
- Development.md: note net10.0 SDK support, update test counts to ~1337 unit tests, add inspect-jks/inspect-pkcs12 keystore inspection targets - ARCHITECTURE.md: replace removed KeystoreManager with KeystoreOperations in data flow diagrams; add JobCertificateParser to Services layer
PR Quality Signoff SummarySecurity Checks
Code Quality
PR Standards
Self-Review ChecklistBefore requesting review, please confirm:
DevOps Workflow Reminders
🎉 All automated quality checks passed! Generated by Keyfactor Actions v6 PR Quality Checks |
PR Quality Signoff SummarySecurity Checks
Code Quality
PR Standards
Self-Review ChecklistBefore requesting review, please confirm:
DevOps Workflow Reminders
🎉 All automated quality checks passed! Generated by Keyfactor Actions v6 PR Quality Checks |
…st.json - Add generate_scripts.py: reads integration-manifest.json and regenerates all four store type scripts (kfutil + curl bash, kfutil + REST PowerShell) - All scripts now cover all 7 store types (was 3: K8SCert, K8SSecret, K8STLSSecr) - Remove KubeSvcCreds; set ServerRequired=true everywhere - Add OAuth support to curl and REST scripts: KEYFACTOR_AUTH_ACCESS_TOKEN, KEYFACTOR_AUTH_CLIENT_ID/SECRET/TOKEN_URL (client credentials), and Basic auth fallback (KEYFACTOR_USERNAME/PASSWORD/DOMAIN) - Add scripts/store_types/README.md documenting auth methods and regeneration - Roll update_store_types.sh into Makefile as store-types-gen-scripts, store-types-create, store-types-update, and store-types-split targets - store-types-gen-scripts prefers doctool if installed, falls back to python3 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The generator logic lives in doctool/manifest/storetype_scripts.py. The standalone script was a duplicate that would drift. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ctor.PKI directly Remove GetThumbprint, GetSubjectCN, GetSerialNumber, and ConvertToPem from CertificateUtilities — all four were single-line delegates to Keyfactor.PKI APIs (BouncyCastleX509Extensions and PemUtilities) with no added logic. All call sites now use the canonical Shared-PKI extension methods and PemUtilities.DERToPEM directly. Tests for the deleted methods are removed; remaining tests that used these methods as helpers are updated in-place. 1335/1335 tests pass. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace dynamic parameters with concrete types across StoreConfigurationParser, JobCertificateParser, and JobBase; replace switch expressions in SecretHandlerFactory with dictionary lookup tables. All dynamic CallSite branches that inflated cyclomatic complexity counts are gone. Methods affected: - StoreConfigurationParser: Parse, ApplyKeystoreDefaults, GetPropertyOrDefault<T>, ParseBoolProperty — dynamic → IDictionary<string,object> - JobCertificateParser.Parse + helpers — dynamic config → ManagementJobConfiguration - JobBase: InitializeProperties, InitializeStoreCore, ApplyKeystoreDefaultsFromParser, InitJobCertificate — dynamic → typed - SecretHandlerFactory: Create, HasHandler, GetHandlerTypeName — switch → Dictionary Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…GetKubeClient GetCertificateContext had 0% branch coverage (CRAP 156). New tests cover all branches: null CertificateEntry, null/empty chain array, chain with no explicit ChainPem (auto-computed), chain with explicit ChainPem, PEM/key field copy. KubeCertificateManagerClient.GetKubeClient (CRAP 35) is exercised through the constructor: token-auth kubeconfig, useSSL=false, base64-encoded kubeconfig, invalid CA cert data (triggers fallback branch), null/empty/non-JSON inputs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
KubeconfigParser.Parse() always throws on error — it never returns null.
The else-if ("should never happen") and else (BuildConfigFromConfigFile)
branches were dead code guarded by the k8sConfiguration != null check.
Removing them drops CC from 14 → 6 and CRAP from 137 → 26.8, clearing
the last CRAP > 30 hotspot in the codebase. Also removes the assembly-
path retrieval lines that only existed to support the dead file-path branch.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…andler no-network paths ExceptionTests (9 tests): - All 3 constructors for JkSisPkcs12Exception, InvalidK8SSecretException, and StoreNotFoundException — brings each class from 0/33% to 100% line coverage CertificateChainExtractorTests (10 tests): - Null/whitespace string inputs (lines 48-50) - DER fallback path when PEM chain fails (lines 68-81) - Null/empty byte[] inputs (lines 93-95) - ExtractAndAppendUnique null/empty bytes (lines 141-142) - ExtractFromSecretData with null secretData (lines 167-169) - ca.crt chain append with addedCount > 0 log (line 191) HandlerNoNetworkTests (26 tests): - CertificateSecretHandler: AllowedKeys, SecretTypeName, SupportsManagement, HasPrivateKey, HandleAdd/HandleRemove/CreateEmptyStore throw NotSupportedException - ClusterSecretHandler: HasPrivateKey, CreateEmptyStore, short-alias ArgumentException, unsupported inner type NotSupportedException - NamespaceSecretHandler: same pattern as Cluster Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…vements Document GetKubeClient dead code removal (CC 14→6, CRAP 137→26.8) and the three new unit test files (exceptions, CertificateChainExtractor, handler no-network paths). Update test count to ~1397. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…h flow Document JkSisPkcs12Exception and InvalidK8SSecretException in the Error Handling section (were previously omitted). Note that GetKubeClient delegates exclusively to KubeconfigParser with no file-path fallback. Clarify the Exceptions/ directory/namespace split. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Correct test counts: 457/603 → 1397 unit + ~200 integration - Update test structure tree to reflect actual Unit/ subdirectory layout - Fix unit test template to use CachedCertificateProvider (not direct generation) - Fix CertificateTestHelper section to distinguish cache vs low-level helpers - Correct unit test runtime estimate: 3-5 min → ~17 min - Remove stale UNIT_TEST_COMPLETION_SUMMARY.md reference - Fix TESTING_QUICKSTART.md: MAKEFILE_TEST_TARGETS.md → MAKEFILE_GUIDE.md - Remove hardcoded local path from quickstart - Replace raw dotnet commands with make targets throughout - Update CI duration estimates and coverage numbers (90.5% line / 81.6% branch) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…DME.md Add detailed test tables for five sections missing from the catalog: - Unit/Handlers/HandlerNoNetworkTests.cs (26 tests — handler properties, NotSupportedException, and alias-parsing ArgumentException paths) - Unit/Services/CertificateChainExtractorTests.cs (11 tests — null/empty, DER fallback, byte arrays, ExtractAndAppendUnique, ExtractFromSecretData) - Unit/Services/JobCertificateParserTests.cs (stub entry) - Unit/Jobs/K8SJobCertificateTests.cs (8 tests — GetCertificateContext chain handling and PEM copy) - Unit/Jobs/ExceptionTests.cs (9 tests — all 3 constructors of each custom exception class) Update test counts: 1,156 unit / 1,371 total → 1,397 unit / ~1,600 total, with coverage numbers (90.5% line / 81.6% branch). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Standalone workflow_dispatch-only job that calls generate-readme.yml@feature/dotnet-doctool for isolated testing of the new .NET doctool action before it lands in the main pipeline.
4 tasks
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
To fix the problem, explicitly define permissions for the workflow so the GITHUB_TOKEN is limited to the least privilege required. Since this file only orchestrates a call to a reusable workflow and does not itself perform repository‑modifying operations, a safe, minimal default is typically contents: read. If the called reusable workflow needs broader permissions, it should declare them in its own permissions block; this file should not assume write permissions unless strictly necessary.
The single best change with minimal impact is to add a root‑level permissions block (applies to all jobs without their own permissions) directly after the name declaration and before the on: section. Concretely, in .github/workflows/keyfactor-starter-workflow.yml, insert:
permissions:
contents: readon new lines 2–3, shifting the rest of the file down. No imports or additional methods are required because this is a GitHub Actions workflow YAML file, and permissions is a standard top‑level key.
Suggested changeset
1
.github/workflows/keyfactor-starter-workflow.yml
| @@ -1,4 +1,6 @@ | ||
| name: Keyfactor Bootstrap Workflow | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: |
Copilot is powered by AI and may make mistakes. Always verify output.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.