Skip to content

Migrate to reusable workflows #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
mbrousset-ledger wants to merge 1 commit into from
Closed

Migrate to reusable workflows #40

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
name: CodeQL

on:
workflow_dispatch:
push:
branches:
- main
- master
- develop
pull_request:

jobs:
analyse:
name: Call Ledger CodeQL analysis
uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_codeql_checks.yml@v1
secrets: inherit
Comment on lines +14 to +16

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 2 months ago

In general, this should be fixed by explicitly specifying a minimal permissions block either at the workflow root (applies to all jobs) or on the specific job. For a CodeQL analysis workflow that only needs to read the code and upload results, the recommended least-privilege baseline is to grant read access to repository contents and security events, and (if needed) write access only where uploading security results is required.

The single best fix here, without altering behavior, is to add a workflow-level permissions block after the on: section and before jobs:. A conservative, widely recommended configuration for CodeQL is:

permissions:
  contents: read
  security-events: write

This allows the workflow to read the repository contents and upload CodeQL results as security events, while preventing broader write access with GITHUB_TOKEN. Concretely, in .github/workflows/codeql.yml, insert these three lines between the existing pull_request: block (line 10–11) and the jobs: block (line 12). No imports or additional definitions are required.

Suggested changeset 1
.github/workflows/codeql.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -9,6 +9,10 @@
       - develop
   pull_request:
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   analyse:
     name: Call Ledger CodeQL analysis
EOF
@@ -9,6 +9,10 @@
- develop
pull_request:

permissions:
contents: read
security-events: write

jobs:
analyse:
name: Call Ledger CodeQL analysis
Copilot is powered by AI and may make mistakes. Always verify output.
16 changes: 16 additions & 0 deletions .github/workflows/ragger-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
name: Ragger Tests

on:
workflow_dispatch:
push:
branches:
- main
- master
- develop
pull_request:

jobs:
ragger_tests:
name: Ragger Tests
uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_ragger_tests.yml@v1
secrets: inherit
Comment on lines +14 to +16

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 2 months ago

In general, the fix is to add an explicit permissions: block either at the workflow root (applies to all jobs) or under the specific job, granting only the minimal scopes required. Since this job simply invokes a reusable workflow and no direct write operations are visible here, a safe minimal default is contents: read, which matches GitHub’s recommended read‑only scope for most CI jobs.

The best targeted fix without changing existing functionality is to add a workflow‑level permissions: block after the on: section (lines 3–10) and before jobs: (line 12). This will apply to ragger_tests and any future jobs unless they override it, and it clearly documents that the workflow should only read repository contents. No imports or additional methods are required; this is purely a YAML configuration change in .github/workflows/ragger-tests.yml.

Suggested changeset 1
.github/workflows/ragger-tests.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ragger-tests.yml b/.github/workflows/ragger-tests.yml
--- a/.github/workflows/ragger-tests.yml
+++ b/.github/workflows/ragger-tests.yml
@@ -9,6 +9,9 @@
       - develop
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   ragger_tests:
     name: Ragger Tests
EOF
@@ -9,6 +9,9 @@
- develop
pull_request:

permissions:
contents: read

jobs:
ragger_tests:
name: Ragger Tests
Copilot is powered by AI and may make mistakes. Always verify output.
16 changes: 16 additions & 0 deletions .github/workflows/unit-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
name: Unit Tests

on:
workflow_dispatch:
push:
branches:
- main
- master
- develop
pull_request:

jobs:
unit_tests:
name: Unit Tests
uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_unit_tests.yml@v1
secrets: inherit
Comment on lines +14 to +16

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 2 months ago

In general, the fix is to declare an explicit permissions: block either at the root of the workflow (applies to all jobs) or under the specific job, granting only the minimal access needed. For a typical unit test workflow that does not need to write to the repo, a safe baseline is contents: read. If the reusable workflow needs more granular permissions (e.g., to comment on PRs), those can be added there, but we should not assume them here without seeing that file.

The single best minimal fix without changing functionality is to add a root‑level permissions: block right under the name: (or under on:) that sets the GITHUB_TOKEN to read‑only for repository contents. This will apply to unit_tests and any future jobs unless they override it. Concretely, in .github/workflows/unit-tests.yml, insert:

permissions:
  contents: read

between the existing name: Unit Tests line and the on: block (or directly above jobs:; both are valid). No additional imports, methods, or definitions are required since this is a YAML configuration change only.

Suggested changeset 1
.github/workflows/unit-tests.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -1,5 +1,8 @@
 name: Unit Tests
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   push:
EOF
@@ -1,5 +1,8 @@
name: Unit Tests

permissions:
contents: read

on:
workflow_dispatch:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
Loading