Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| uses: storyprotocol/gha-workflows/.github/workflows/reusable-timestamp.yml@main | ||
|
|
||
| lint: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, add a permissions key at the root of the workflow file, immediately after the name and before the on block. This will apply the specified permissions to all jobs in the workflow unless overridden at the job level. Since the jobs in this workflow only check out code, run linting, tests, and upload coverage (and do not appear to require any write permissions), the minimal required permission is likely contents: read. This restricts the GITHUB_TOKEN to read-only access to repository contents, which is sufficient for these operations. If any job later requires additional permissions, they can be granted at the job level.
Steps:
- Insert a
permissions:block after thename:line and before theon:block in.github/workflows/test-publish.yml. - Set
contents: readas the minimal required permission.
| @@ -1,3 +1,5 @@ | ||
| permissions: | ||
| contents: read | ||
| name: test publish workflow | ||
|
|
||
| on: |
| needs: Timestamp | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: '3.12' | ||
|
|
||
| - name: Install dependencies | ||
| run: | | ||
| python -m pip install --upgrade pip | ||
| pip install flake8 | ||
|
|
||
| - name: Run flake8 | ||
| run: | | ||
| flake8 . | ||
|
|
||
| test: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, add a permissions block at the top level of the workflow file (.github/workflows/test-publish.yml). This block should specify the least privilege required for all jobs. For most CI workflows, contents: read is sufficient unless a job needs to write to the repository (e.g., create releases, push code, or interact with issues/pull requests). If any job requires additional permissions, you can override the top-level permissions by specifying a more permissive block at the job level. In this case, none of the shown jobs appear to require write access, so adding permissions: contents: read at the root is the best fix. Insert this block after the name: and before the on: key.
| @@ -1,3 +1,5 @@ | ||
| permissions: | ||
| contents: read | ||
| name: test publish workflow | ||
|
|
||
| on: |
| needs: [Timestamp, lint] | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| python-version: ["3.9", "3.10", "3.11", "3.12"] | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up Python ${{ matrix.python-version }} | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
|
|
||
| - name: Cache pip dependencies | ||
| uses: actions/cache@v3 | ||
| with: | ||
| path: ~/.cache/pip | ||
| key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-pip- | ||
|
|
||
| - name: Install dependencies | ||
| run: | | ||
| pip install -r requirements.txt | ||
| python -m pip install --upgrade pip | ||
| pip install pytest pytest-cov | ||
|
|
||
| - name: Run tests | ||
| run: | | ||
| pytest tests/ --cov=src/ --cov-report=xml | ||
|
|
||
| - name: Upload coverage to Codecov | ||
| uses: codecov/codecov-action@v3 | ||
| with: | ||
| file: ./coverage.xml | ||
| fail_ci_if_error: false | ||
|
|
||
| build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, add a permissions block to the workflow file .github/workflows/test-publish.yml. The block should be placed at the root level, above the jobs: key, so that it applies to all jobs in the workflow unless overridden. The minimal starting point is contents: read, which allows jobs to read repository contents but not write to them. This change does not affect the existing functionality of the workflow, as none of the jobs require write access to repository contents. No additional imports or definitions are needed.
| @@ -11,6 +11,8 @@ | ||
| - minor | ||
| - patch | ||
|
|
||
| permissions: | ||
| contents: read | ||
| jobs: | ||
| Timestamp: | ||
| uses: storyprotocol/gha-workflows/.github/workflows/reusable-timestamp.yml@main |
| needs: [Timestamp, lint, test] | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| python-version: ["pypy3.9", "pypy3.10", "3.9", "3.10", "3.11", "3.12"] | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up Python ${{ matrix.python-version }} | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
|
|
||
| - name: Cache pip dependencies | ||
| uses: actions/cache@v3 | ||
| with: | ||
| path: ~/.cache/pip | ||
| key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-pip- | ||
|
|
||
| - name: Install dependencies | ||
| run: | | ||
| pip install -r requirements.txt | ||
| python -m pip install --upgrade pip | ||
| pip install setuptools wheel build | ||
|
|
||
| - name: Build package | ||
| run: python -m build | ||
|
|
||
| - name: Upload build artifacts | ||
| uses: actions/upload-artifact@v3 | ||
| with: | ||
| name: dist-${{ matrix.python-version }} | ||
| path: dist/ | ||
| retention-days: 1 | ||
|
|
||
| test-publish: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, you should add a permissions block to the workflow file, specifying the minimum required permissions for the jobs. The best way to do this is to add the block at the root level of the workflow, which will apply to all jobs unless overridden at the job level. For this workflow, the jobs only need to read repository contents (for code checkout and artifact upload), so the minimal starting point is contents: read. If any job later requires additional permissions (e.g., to create pull requests or write to issues), those can be added at the job level. The change should be made at the top of the file, after the name: and before the on: block.
| @@ -1,3 +1,5 @@ | ||
| permissions: | ||
| contents: read | ||
| name: test publish workflow | ||
|
|
||
| on: |
| needs: [Timestamp, build, lint, test] | ||
| runs-on: ubuntu-latest | ||
| # This job simulates the publish process without actually publishing | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up Python 3.12 | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: "3.12" | ||
|
|
||
| - name: Cache pip dependencies | ||
| uses: actions/cache@v3 | ||
| with: | ||
| path: ~/.cache/pip | ||
| key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-pip- | ||
|
|
||
| - name: Install dependencies | ||
| run: | | ||
| pip install -r requirements.txt | ||
| python -m pip install --upgrade pip | ||
| pip install setuptools wheel build | ||
|
|
||
| - name: Simulate version update | ||
| env: | ||
| VERSION_TYPE: ${{ github.event.inputs.version_type }} | ||
| run: | | ||
| echo "🧪 TESTING: Would run version update with type: $VERSION_TYPE" | ||
| echo "Current branch: $(git branch --show-current)" | ||
| echo "Current commit: $(git rev-parse HEAD)" | ||
|
|
||
| # Show what would be changed | ||
| if [ -f "update_version.py" ]; then | ||
| echo "✅ update_version.py exists and is executable" | ||
| python update_version.py --help 2>/dev/null || echo "⚠️ No help available for update_version.py" | ||
| else | ||
| echo "❌ update_version.py not found" | ||
| fi | ||
|
|
||
| - name: Simulate package building | ||
| run: | | ||
| echo "🧪 TESTING: Would build package for publishing" | ||
| python -m build | ||
|
|
||
| # Validate built package | ||
| if [ -f dist/*.whl ] && [ -f dist/*.tar.gz ]; then | ||
| echo "✅ Package build successful" | ||
| ls -la dist/ | ||
| else | ||
| echo "❌ Package build failed" | ||
| exit 1 | ||
| fi | ||
|
|
||
| - name: Simulate Git operations | ||
| run: | | ||
| echo "🧪 TESTING: Would perform Git operations" | ||
| echo "Current git status:" | ||
| git status --porcelain | ||
|
|
||
| echo "Would commit version changes to setup.py" | ||
| echo "Would create git tag" | ||
| echo "Would push to current branch: $(git branch --show-current)" | ||
|
|
||
| # Show what files would be committed | ||
| if [ -f "setup.py" ]; then | ||
| echo "setup.py contents:" | ||
| cat setup.py | grep -A 2 -B 2 "version=" || echo "No version field found" | ||
| fi | ||
|
|
||
| - name: Simulate PyPI publishing | ||
| run: | | ||
| echo "🚫 PyPI publishing disabled for testing" | ||
| echo "Would publish version: $(grep 'version=' setup.py | sed 's/.*version="\([^"]*\)".*/\1/' 2>/dev/null || echo 'unknown')" | ||
| echo "Would push to branch: $(git branch --show-current)" | ||
| echo "Would create tag: v$(grep 'version=' setup.py | sed 's/.*version="\([^"]*\)".*/\1/' 2>/dev/null || echo 'unknown')" | ||
|
|
||
| echo "" | ||
| echo "🎉 TEST COMPLETED SUCCESSFULLY!" | ||
| echo "This workflow simulates the publish process without making actual changes." | ||
| echo "To test the real publish workflow, use publish-package.yml on the main branch." | ||
|
|
||
| - name: Cleanup test artifacts | ||
| if: always() | ||
| run: | | ||
| echo "🧹 Cleaning up test artifacts" | ||
| rm -rf dist/ build/ *.egg-info/ | ||
| echo "Cleanup completed" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, add an explicit permissions block to the workflow file .github/workflows/test-publish.yml. This block should be placed at the top level of the workflow (before or after the on: block), so it applies to all jobs unless overridden. The minimal required permission for this workflow is likely contents: read, since none of the jobs require write access to repository contents, issues, or pull requests. This change will ensure that the workflow adheres to the principle of least privilege and does not inherit unnecessary permissions.
| @@ -1,5 +1,8 @@ | ||
| name: test publish workflow | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: |
1 participant
Description
Example:
This pr adds user login function, includes:
Test Plan
Example:
Related Issue
Example: Issue #123
Notes