Skip to content

Fix PR and CI workflow #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
satyakigh merged 1 commit into from
Oct 1, 2025
Merged

Fix PR and CI workflow #19

satyakigh merged 1 commit into from
Oct 1, 2025

Conversation

@satyakigh
Copy link
Collaborator

@satyakigh satyakigh commented Oct 1, 2025

Fix PR and CI workflow

@satyakigh satyakigh requested a review from a team as a code owner October 1, 2025 18:32
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 1, 2025
View reviewed changes
.github/workflows/pr.yml
Comment on lines +9 to +11
uses: ./.github/workflows/configs.yml

pr-build-test-nodejs:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 3 months ago

  • General fix: Add a permissions block to the get-configs job, explicitly restricting unnecessary repository access and specifying the minimum required scope.
  • Detailed fix: Since the get-configs job simply calls a reusable workflow and, based on its naming and usage, is unlikely to need write access, the minimal appropriate permissions would be contents: read. Place a permissions: block under get-configs: at the same indentation level as uses:.
  • Files/regions/lines to change: In .github/workflows/pr.yml, update lines 8–10 to insert a permissions: block with appropriate contents before the uses: line.
  • Methods/imports/definitions required: No new methods, imports, or outside definitions are needed; only a YAML block addition.
Suggested changeset 1
.github/workflows/pr.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -6,6 +6,8 @@
 
 jobs:
   get-configs:
+    permissions:
+      contents: read
     uses: ./.github/workflows/configs.yml
 
   pr-build-test-nodejs:
EOF
@@ -6,6 +6,8 @@

jobs:
get-configs:
permissions:
contents: read
uses: ./.github/workflows/configs.yml

pr-build-test-nodejs:
Copilot is powered by AI and may make mistakes. Always verify output.
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 1, 2025
View reviewed changes
.github/workflows/pr.yml
Comment on lines +55 to +72
needs: [get-configs]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Setup Go ${{ needs.get-configs.outputs.go-version }}
uses: actions/setup-go@v4
with:
go-version: ${{ needs.get-configs.outputs.go-version }}
cache: true

- name: Build
shell: bash
run: GOPROXY=direct go build -C ./cfn-init ./...

- name: Test
shell: bash
run: GOPROXY=direct go test -C ./cfn-init -v -cover ./...

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 months ago

To fix this problem, we should specify a permissions block for the pr-build-test-go job, explicitly limiting the permissions granted to the GITHUB_TOKEN. Reviewing the pr-build-test-go job, none of its steps requires write access to repository contents, pull requests, or any other resource. Thus, the minimal required permission is contents: read, which allows the job to check out code but does not grant unnecessary write privileges.

You should add the following block beneath runs-on: ubuntu-latest within the pr-build-test-go job:

permissions:
  contents: read

This change is entirely localized to lines 56-57 (runs-on to first steps:) and does not interfere with existing functionality.

Suggested changeset 1
.github/workflows/pr.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -54,6 +54,8 @@
   pr-build-test-go:
     needs: [get-configs]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
 
EOF
@@ -54,6 +54,8 @@
pr-build-test-go:
needs: [get-configs]
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v4

Copilot is powered by AI and may make mistakes. Always verify output.
@github-actions
Copy link

github-actions bot commented Oct 1, 2025

Package Line Rate Branch Rate Complexity Health
ai 22% 80% 0
ai.llm 53% 80% 0
app 0% 0% 0
artifacts 100% 100% 0
auth 87% 92% 0
autocomplete 93% 91% 0
context 95% 95% 0
context.semantic 98% 97% 0
context.semantic.parameter 100% 95% 0
context.syntaxtree 89% 91% 0
context.syntaxtree.utils 84% 90% 0
datastore 77% 97% 0
definition 100% 100% 0
document 93% 96% 0
documentSymbol 93% 81% 0
handlers 74% 87% 0
hover 84% 86% 0
protocol 96% 100% 0
resourceState 75% 79% 0
schema 88% 87% 0
schema.transformers 83% 84% 0
server 97% 96% 0
services 66% 89% 0
services.cfnLint 72% 91% 0
services.guard 95% 79% 0
services.guard.assets 81% 77% 0
settings 97% 87% 0
stacks 100% 100% 0
telemetry 58% 78% 0
templates 89% 84% 0
utils 91% 93% 0
Summary 86% (16569 / 19286) 89% (3398 / 3820) 0

@satyakigh satyakigh merged commit bb9dc2c into main Oct 1, 2025
8 checks passed
@satyakigh satyakigh deleted the workflow-fixes branch October 1, 2025 18:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@satyakigh