Skip to content

Fix PR and CI workflow #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
satyakigh merged 1 commit into from
Oct 1, 2025
Merged

Fix PR and CI workflow #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 0 additions & 24 deletions .github/workflows/build-and-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,6 @@ jobs:
uses: ./.github/workflows/configs.yml

build-test-nodejs:
permissions:
contents: read
pull-requests: write
needs: [get-configs]
runs-on: ${{ inputs.runs-on }}
steps:
Expand Down Expand Up @@ -56,27 +53,6 @@ jobs:
if: runner.os != 'Windows'
run: npm run lint && npm run test

- name: Code Coverage
if: runner.os != 'Windows' && github.event_name == 'pull_request'
uses: irongut/[email protected]
with:
filename: coverage/**/cobertura-coverage.xml
badge: false
fail_below_min: false
format: markdown
hide_branch_rate: false
hide_complexity: false
indicators: true
output: both
thresholds: '80 85'

- name: Add Coverage PR Comment
if: runner.os != 'Windows' && github.event_name == 'pull_request'
uses: marocchino/sticky-pull-request-comment@v2
with:
recreate: true
path: code-coverage-results.md

build-test-go:
needs: [get-configs]
runs-on: ${{ inputs.runs-on }}
Expand Down
66 changes: 62 additions & 4 deletions .github/workflows/pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,68 @@
branches: [ main ]

jobs:
build-and-test:
uses: ./.github/workflows/build-and-test.yml
get-configs:
uses: ./.github/workflows/configs.yml

pr-build-test-nodejs:
Comment on lines +9 to +11

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 3 months ago

  • General fix: Add a permissions block to the get-configs job, explicitly restricting unnecessary repository access and specifying the minimum required scope.
  • Detailed fix: Since the get-configs job simply calls a reusable workflow and, based on its naming and usage, is unlikely to need write access, the minimal appropriate permissions would be contents: read. Place a permissions: block under get-configs: at the same indentation level as uses:.
  • Files/regions/lines to change: In .github/workflows/pr.yml, update lines 8–10 to insert a permissions: block with appropriate contents before the uses: line.
  • Methods/imports/definitions required: No new methods, imports, or outside definitions are needed; only a YAML block addition.
Suggested changeset 1
.github/workflows/pr.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -6,6 +6,8 @@
 
 jobs:
   get-configs:
+    permissions:
+      contents: read
     uses: ./.github/workflows/configs.yml
 
   pr-build-test-nodejs:
EOF
@@ -6,6 +6,8 @@

jobs:
get-configs:
permissions:
contents: read
uses: ./.github/workflows/configs.yml

pr-build-test-nodejs:
Copilot is powered by AI and may make mistakes. Always verify output.
needs: [get-configs]
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
with:
ref: ${{ github.sha }}
steps:
- uses: actions/checkout@v4

- name: Setup Node.js ${{ needs.get-configs.outputs.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ needs.get-configs.outputs.node-version }}
cache: 'npm'

- name: Install Dependencies
run: npm ci

- name: Build
run: npm run build

- name: Lint and Test
run: npm run lint && npm run test

- name: Code Coverage
uses: irongut/[email protected]
with:
filename: coverage/**/cobertura-coverage.xml
badge: false
fail_below_min: false
format: markdown
hide_branch_rate: false
hide_complexity: false
indicators: true
output: both
thresholds: '80 85'

- name: Add Coverage PR Comment
uses: marocchino/sticky-pull-request-comment@v2
with:
recreate: true
path: code-coverage-results.md

pr-build-test-go:
needs: [get-configs]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Setup Go ${{ needs.get-configs.outputs.go-version }}
uses: actions/setup-go@v4
with:
go-version: ${{ needs.get-configs.outputs.go-version }}
cache: true

- name: Build
shell: bash
run: GOPROXY=direct go build -C ./cfn-init ./...

- name: Test
shell: bash
run: GOPROXY=direct go test -C ./cfn-init -v -cover ./...
Comment on lines +55 to +72

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 months ago

To fix this problem, we should specify a permissions block for the pr-build-test-go job, explicitly limiting the permissions granted to the GITHUB_TOKEN. Reviewing the pr-build-test-go job, none of its steps requires write access to repository contents, pull requests, or any other resource. Thus, the minimal required permission is contents: read, which allows the job to check out code but does not grant unnecessary write privileges.

You should add the following block beneath runs-on: ubuntu-latest within the pr-build-test-go job:

permissions:
  contents: read

This change is entirely localized to lines 56-57 (runs-on to first steps:) and does not interfere with existing functionality.

Suggested changeset 1
.github/workflows/pr.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -54,6 +54,8 @@
   pr-build-test-go:
     needs: [get-configs]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
 
EOF
@@ -54,6 +54,8 @@
pr-build-test-go:
needs: [get-configs]
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v4

Copilot is powered by AI and may make mistakes. Always verify output.
Loading