Skip to content

[tool] chore(tooling): improve and sync renovate & gh actions #4730

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
guillaumejparis wants to merge 4 commits into
base: master
Choose a base branch
from
Open

[tool] chore(tooling): improve and sync renovate & gh actions #4730

guillaumejparis wants to merge 4 commits into from

Conversation

@guillaumejparis
Copy link
Member

@guillaumejparis guillaumejparis commented Jan 14, 2026

Proposed changes

Testing Instructions

  1. Step-by-step how to test
  2. Environment or config notes

Related issues

  • Closes #ISSUE-NUMBER

Checklist

  • I consider the submitted work as finished
  • I tested the code for its functionality
  • I wrote test cases for the relevant uses case
  • I added/update the relevant documentation (either on github or on notion)
  • Where necessary I refactored code to improve the overall quality
  • For bug fix -> I implemented a test that covers the bug

Further comments

If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc...

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 14, 2026
View reviewed changes
.github/workflows/oaev_shared_validate_pr_title.yml
Comment on lines +8 to +20
runs-on: ubuntu-latest
steps:
- name: "Generate a token"
id: generate-token
if: github.event.pull_request.head.repo.full_name == github.repository
uses: actions/create-github-app-token@v2
with:
app-id: ${{ secrets.OPENAEV_PR_CHECKS_APP_ID }}
private-key: ${{ secrets.OPENAEV_PR_CHECKS_PRIVATE_KEY }}
- name: "Validate PR title and create check"
uses: FiligranHQ/filigran-ci-tools/actions/pr-title-check@v1
with:
token: ${{ steps.generate-token.outputs.token }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{}}

Copilot Autofix

AI 15 days ago

To fix the problem, explicitly define a least-privilege permissions block for this workflow or for the specific job. Since the job appears only to read repository data and use a GitHub App token, it should not need write access via GITHUB_TOKEN. A safe baseline is to set permissions: contents: read at the workflow level, which applies to all jobs.

The best fix with minimal functional impact is to add a permissions section at the top level of .github/workflows/oaev_shared_validate_pr_title.yml, between the on: block and jobs:. This will constrain the default GITHUB_TOKEN to read-only repository contents, which is typically sufficient for actions that just validate PR metadata and report via a separate app token. No new imports or external dependencies are needed; it is a pure YAML configuration change.

Concretely:

  • In .github/workflows/oaev_shared_validate_pr_title.yml, insert:
permissions:
  contents: read
  • Place it after the on: block (after line 5 in the snippet) and before jobs: (line 6), keeping indentation consistent (no extra indentation for a top-level key).
Suggested changeset 1
.github/workflows/oaev_shared_validate_pr_title.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/oaev_shared_validate_pr_title.yml b/.github/workflows/oaev_shared_validate_pr_title.yml
--- a/.github/workflows/oaev_shared_validate_pr_title.yml
+++ b/.github/workflows/oaev_shared_validate_pr_title.yml
@@ -3,6 +3,8 @@
   pull_request:
     branches: [master, release/current]
     types: [opened, edited, reopened, ready_for_review, synchronize]
+permissions:
+  contents: read
 jobs:
   validate-pr-title:
     runs-on: ubuntu-latest
EOF
@@ -3,6 +3,8 @@
pull_request:
branches: [master, release/current]
types: [opened, edited, reopened, ready_for_review, synchronize]
permissions:
contents: read
jobs:
validate-pr-title:
runs-on: ubuntu-latest
Copilot is powered by AI and may make mistakes. Always verify output.
@codecov
Copy link

codecov bot commented Jan 14, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 55.18%. Comparing base (ce655e2) to head (e69f5e3).

Additional details and impacted files 
@@            Coverage Diff            @@
##             master    #4730   +/-   ##
=========================================
  Coverage     55.18%   55.18%           
  Complexity     4301     4301           
=========================================
  Files           972      972           
  Lines         28899    28899           
  Branches       2119     2119           
=========================================
  Hits          15949    15949           
  Misses        12011    12011           
  Partials        939      939

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@guillaumejparis