Add GitHub Action for pull request sanity tests#36
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Run Sanity Tests | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Set up environment | ||
| run: | | ||
| echo "Running sanity tests on branch: ${{ github.ref_name }}" | ||
| echo "Triggered by: ${{ github.event_name }}" | ||
| if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then | ||
| echo "Manual trigger - Log level: ${{ inputs.log_level }}" | ||
| fi | ||
|
|
||
| # Add your test setup here | ||
| # Example: Set up Python, Go, Node.js, etc. | ||
| # - name: Set up Python | ||
| # uses: actions/setup-python@v5 | ||
| # with: | ||
| # python-version: '3.11' | ||
|
|
||
| # - name: Install dependencies | ||
| # run: | | ||
| # pip install -r requirements.txt | ||
|
|
||
| - name: Run sanity tests | ||
| run: | | ||
| echo "===================================" | ||
| echo "Running Sanity Tests" | ||
| echo "===================================" | ||
|
|
||
| # TODO: Add your sanity test commands here | ||
| # Examples: | ||
| # - Basic syntax/lint checks | ||
| # - Quick unit tests | ||
| # - Container build validation | ||
| # - Configuration validation | ||
|
|
||
| # Placeholder for actual tests | ||
| echo "✓ Placeholder: Add your sanity tests here" | ||
|
|
||
| # Example test structure: | ||
| # make sanity-test | ||
| # or | ||
| # ./scripts/run-sanity-tests.sh | ||
| # or | ||
| # pytest tests/sanity/ | ||
|
|
||
| - name: Test summary | ||
| if: always() | ||
| run: | | ||
| echo "===================================" | ||
| echo "Sanity Tests Complete" | ||
| echo "===================================" | ||
| if [ $? -eq 0 ]; then | ||
| echo "✓ All sanity tests passed" | ||
| else | ||
| echo "✗ Some sanity tests failed" | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Optional: Upload test results | ||
| # - name: Upload test results | ||
| # if: always() | ||
| # uses: actions/upload-artifact@v4 | ||
| # with: | ||
| # name: sanity-test-results | ||
| # path: test-results/ | ||
| # retention-days: 30 | ||
|
|
||
| # Optional: Add a check status that can be used as a required check | ||
| sanity-tests-status: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
The best way to fix the problem is to explicitly set the minimum permissions required for the job or the whole workflow. In this workflow, the steps do not need any write access to the repository or other resources. Therefore, you should add a permissions block set to contents: read at either the root level (applies to all jobs unless individually overridden) or on the specific jobs if desired. The most consistent and thorough approach is to add it at the top, just under name: ..., so it applies to all jobs, unless a job truly needs elevated permissions (not the case here).
Specifically, insert the following lines after line 1:
permissions:
contents: readNo imports or additional changes are needed, since this is a YAML workflow file, not code.
| @@ -1,4 +1,6 @@ | ||
| name: Pull Request Sanity Tests | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| # Run on pull requests |
| name: Sanity Tests Status | ||
| runs-on: ubuntu-latest | ||
| needs: sanity-tests | ||
| if: always() | ||
| steps: | ||
| - name: Check test results | ||
| run: | | ||
| if [ "${{ needs.sanity-tests.result }}" == "success" ]; then | ||
| echo "✓ Sanity tests passed" | ||
| exit 0 | ||
| else | ||
| echo "✗ Sanity tests failed" | ||
| exit 1 | ||
| fi No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the problem, we should add a permissions block, either at the workflow root (which covers all jobs) or at the job level (e.g., for sanity-tests-status). The most secure and clear approach is to add it at the top level, immediately under the workflow name, which will apply to all jobs by default and can be overridden at the job level if needed.
Given that neither job in this workflow appears to require any special repository or API access via the GITHUB_TOKEN, we can set permissions: {} — which removes all default permissions. Alternatively, we can set very minimal permissions, such as contents: read, if at least read access is required (e.g., by actions/checkout). Since the provided workflow uses actions/checkout, which requires contents: read, it is safest and most practical to specify:
permissions:
contents: readThis line should be added immediately after the workflow name. No imports or other definitions are necessary.
| @@ -1,4 +1,6 @@ | ||
| name: Pull Request Sanity Tests | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| # Run on pull requests |
1 participant
WIP - add GitHub Action to run sanity tests for PRs