Skip to content

feat: [wild draft] try consolidate workflows#159

Closed
scottgerring wants to merge 3 commits into
mainfrom
feat/consolidate-workflows
Closed

feat: [wild draft] try consolidate workflows#159
scottgerring wants to merge 3 commits into
mainfrom
feat/consolidate-workflows

Conversation

@scottgerring

Copy link
Copy Markdown
Member

No description provided.

@scottgerring scottgerring force-pushed the feat/consolidate-workflows branch from f066496 to 492bacf Compare January 20, 2026 12:17

@github-advanced-security github-advanced-security AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

@scottgerring scottgerring force-pushed the feat/consolidate-workflows branch 2 times, most recently from 5bb16c5 to 359fc32 Compare January 20, 2026 12:44
@scottgerring scottgerring force-pushed the feat/consolidate-workflows branch from 359fc32 to 6ea40f4 Compare January 20, 2026 12:50
Comment on lines +32 to +46
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
with:
dotnet-version: ${{ inputs.dotnet-version }}

- name: Run Unit Tests
shell: bash
run: |
cd ${{ inputs.working-directory }}/tests/Stickerlandia.UserManagement.UnitTest
dotnet test

integration-test:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

In general, the fix is to add an explicit permissions block that restricts the GITHUB_TOKEN to the minimum required scope. Since this workflow only checks out code and runs .NET tests, it needs only read access to repository contents (or possibly no token at all, but contents: read is the common secure baseline).

The best minimal fix without changing functionality is to add a top-level permissions block so it applies to all jobs (unit-test and integration-test). Place it after name: Build .NET and before the on: block to make the configuration clear and conventional. Set contents: read as recommended by CodeQL. No additional methods, imports, or definitions are needed in YAML; we only add that block.

Concretely, in .github/workflows/_build-dotnet.yml, insert:

permissions:
  contents: read

between line 5 (name: Build .NET) and line 7 (on:). This ensures both jobs run with a read-only GITHUB_TOKEN and resolves the CodeQL warning.

Suggested changeset 1
.github/workflows/_build-dotnet.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/_build-dotnet.yml b/.github/workflows/_build-dotnet.yml
--- a/.github/workflows/_build-dotnet.yml
+++ b/.github/workflows/_build-dotnet.yml
@@ -4,6 +4,9 @@
 
 name: Build .NET
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
EOF
@@ -4,6 +4,9 @@

name: Build .NET

permissions:
contents: read

on:
workflow_call:
inputs:
Copilot is powered by AI and may make mistakes. Always verify output.
Comment on lines +47 to +88
runs-on: ubuntu-latest
needs: unit-test
if: ${{ inputs.run-integration-tests }}
strategy:
matrix:
DRIVING:
- AGNOSTIC
fail-fast: false

steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
with:
dotnet-version: ${{ inputs.dotnet-version }}

- name: Install SSL Certificates
run: dotnet dev-certs https --trust

- name: Install Azure Functions Core Tools
run: |
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/microsoft.gpg
sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-ubuntu-$(lsb_release -cs 2>/dev/null)-prod $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/dotnetdev.list'
sudo apt-get update
sudo apt-get install azure-functions-core-tools-4
func --version

- name: .NET Restore
shell: bash
run: |
cd ${{ inputs.working-directory }}
dotnet restore Stickerlandia.UserManagement.sln

- name: Run Integration Tests
shell: bash
env:
DRIVING: ${{ matrix.DRIVING }}
DRIVEN: AGNOSTIC
run: |
cd ${{ inputs.working-directory }}/tests/Stickerlandia.UserManagement.IntegrationTest
dotnet test --logger:"console;verbosity=detailed"

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

In general, the fix is to explicitly specify a permissions block in the workflow (either at the root so it applies to all jobs, or per-job) that grants only what is needed. This workflow appears to only need to read repository contents (for actions/checkout) and does not interact with issues, PRs, or other write APIs, so contents: read is sufficient.

The best minimal change is to add a root-level permissions block under the name (and before on:) so it applies to both unit-test and integration-test jobs. The block should set contents: read to match CodeQL’s suggested minimal starting point. No other scopes (like pull-requests or issues) are required by any shown step. No imports or other code changes are necessary since this is a YAML workflow-only change.

Concretely, edit .github/workflows/_build-dotnet.yml and insert:

permissions:
  contents: read

between the name: Build .NET line and the on: block. This will limit the GITHUB_TOKEN for all jobs in this workflow without changing existing functionality.

Suggested changeset 1
.github/workflows/_build-dotnet.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/_build-dotnet.yml b/.github/workflows/_build-dotnet.yml
--- a/.github/workflows/_build-dotnet.yml
+++ b/.github/workflows/_build-dotnet.yml
@@ -4,6 +4,9 @@
 
 name: Build .NET
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
EOF
@@ -4,6 +4,9 @@

name: Build .NET

permissions:
contents: read

on:
workflow_call:
inputs:
Copilot is powered by AI and may make mistakes. Always verify output.
Comment on lines +27 to +84
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Set up Go
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: ${{ inputs.go-version }}
cache-dependency-path: ${{ inputs.working-directory }}/go.sum

- name: Download dependencies
run: |
cd ${{ inputs.working-directory }}
go mod download

- name: Build
run: |
cd ${{ inputs.working-directory }}
go build -v ./...

- name: Run Unit Tests
run: |
cd ${{ inputs.working-directory }}
make test

- name: Run Integration Tests
run: |
cd ${{ inputs.working-directory }}
make test-integration

- name: Run Go Vet
run: |
cd ${{ inputs.working-directory }}
go vet ./...

- name: Run Go Fmt Check
run: |
cd ${{ inputs.working-directory }}
if [ "$(gofmt -s -l . | wc -l)" -gt 0 ]; then
echo "Code is not formatted properly:"
gofmt -s -l .
exit 1
fi

- name: Install CodeQL CLI
if: ${{ inputs.run-codeql }}
run: |
wget -q https://github.com/github/codeql-cli-binaries/releases/latest/download/codeql-linux64.zip
unzip -q codeql-linux64.zip
sudo mv codeql /opt/codeql
echo "/opt/codeql" >> $GITHUB_PATH
/opt/codeql/codeql version --format=text

- name: Create CodeQL Database
if: ${{ inputs.run-codeql }}
run: |
cd ${{ inputs.working-directory }}
codeql database create cql-db --language=go --source-root=.

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

In general, the fix is to explicitly declare a permissions: block to restrict the default GITHUB_TOKEN permissions for this workflow/job to the minimum required. Since this workflow only checks out code and runs local Go tooling, it likely needs at most read access to repository contents, and no write permissions.

The best fix with minimal behavioural change is to add a top-level permissions: block (so it applies to all jobs in this workflow) setting contents: read. This aligns with the CodeQL recommendation and the principle of least privilege. Concretely, in .github/workflows/_build-go.yml, insert a new block after the name: Build Go line:

permissions:
  contents: read

No other changes, imports, or definitions are required, and the existing steps (checkout, Go setup, builds, tests, CodeQL CLI install) will continue to work as before.

Suggested changeset 1
.github/workflows/_build-go.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/_build-go.yml b/.github/workflows/_build-go.yml
--- a/.github/workflows/_build-go.yml
+++ b/.github/workflows/_build-go.yml
@@ -4,6 +4,9 @@
 
 name: Build Go
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
EOF
@@ -4,6 +4,9 @@

name: Build Go

permissions:
contents: read

on:
workflow_call:
inputs:
Copilot is powered by AI and may make mistakes. Always verify output.
Comment on lines +37 to +88
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Set up JDK ${{ inputs.java-version }}
uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
with:
java-version: ${{ inputs.java-version }}
distribution: ${{ inputs.java-distribution }}
cache: maven

- name: Build with Maven
run: |
cd ${{ inputs.working-directory }}
./mvnw clean package -DskipTests

- name: Run Unit Tests
run: |
cd ${{ inputs.working-directory }}
./mvnw test

- name: Run Integration Tests
run: |
cd ${{ inputs.working-directory }}
./mvnw verify -Dskip.unit.tests=true -DskipITs=false

- name: Install CodeQL CLI
if: ${{ inputs.run-codeql }}
run: |
wget -q https://github.com/github/codeql-cli-binaries/releases/latest/download/codeql-linux64.zip
unzip -q codeql-linux64.zip
sudo mv codeql /opt/codeql
echo "/opt/codeql" >> $GITHUB_PATH
/opt/codeql/codeql version --format=text

- name: Create CodeQL Database
if: ${{ inputs.run-codeql }}
run: |
cd ${{ inputs.working-directory }}
codeql database create cql-db --language=java --source-root=.

- name: Install CodeQL Packs
if: ${{ inputs.run-codeql }}
run: |
cd ${{ inputs.working-directory }}
codeql pack install cql-queries/

- name: Validate Architecture Rules
if: ${{ inputs.run-architecture-validation }}
run: |
cd ${{ inputs.working-directory }}
./scripts/validate-architecture.sh

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

In general, the fix is to explicitly define a minimal permissions: block so that the GITHUB_TOKEN used in this workflow is limited to the least privileges necessary. This can be done either at the workflow root (applies to all jobs) or under the specific job. Since this workflow currently has a single job, both approaches are equivalent in effect; defining it at the root is clearer and scales better if more jobs are added later.

The single best fix here is to add a root‑level permissions: block just after the on: configuration and before jobs:. The job uses actions/checkout, which requires contents: read to fetch the repository. None of the steps writes to the repo or interacts with pull requests/issues, so contents: read is sufficient. No imports or extra definitions are needed because this is YAML configuration only. Specifically, edit .github/workflows/_build-java.yml to insert:

permissions:
  contents: read

between the on: block (lines 7–34) and the jobs: block (line 35). This constrains the GITHUB_TOKEN to read‑only contents while preserving all existing functionality.

Suggested changeset 1
.github/workflows/_build-java.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/_build-java.yml b/.github/workflows/_build-java.yml
--- a/.github/workflows/_build-java.yml
+++ b/.github/workflows/_build-java.yml
@@ -32,6 +32,9 @@
         type: boolean
         default: true
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
EOF
@@ -32,6 +32,9 @@
type: boolean
default: true

permissions:
contents: read

jobs:
build-and-test:
runs-on: ubuntu-latest
Copilot is powered by AI and may make mistakes. Always verify output.
@scottgerring scottgerring force-pushed the feat/consolidate-workflows branch 2 times, most recently from 415f51a to 2e6ee2c Compare January 20, 2026 14:19
@scottgerring scottgerring force-pushed the feat/consolidate-workflows branch from 2e6ee2c to 96b3271 Compare January 20, 2026 14:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants