feat: [wild draft] try consolidate workflows#159
Conversation
f066496 to
492bacf
Compare
There was a problem hiding this comment.
CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
5bb16c5 to
359fc32
Compare
359fc32 to
6ea40f4
Compare
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
|
|
||
| - uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1 | ||
| with: | ||
| dotnet-version: ${{ inputs.dotnet-version }} | ||
|
|
||
| - name: Run Unit Tests | ||
| shell: bash | ||
| run: | | ||
| cd ${{ inputs.working-directory }}/tests/Stickerlandia.UserManagement.UnitTest | ||
| dotnet test | ||
|
|
||
| integration-test: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
In general, the fix is to add an explicit permissions block that restricts the GITHUB_TOKEN to the minimum required scope. Since this workflow only checks out code and runs .NET tests, it needs only read access to repository contents (or possibly no token at all, but contents: read is the common secure baseline).
The best minimal fix without changing functionality is to add a top-level permissions block so it applies to all jobs (unit-test and integration-test). Place it after name: Build .NET and before the on: block to make the configuration clear and conventional. Set contents: read as recommended by CodeQL. No additional methods, imports, or definitions are needed in YAML; we only add that block.
Concretely, in .github/workflows/_build-dotnet.yml, insert:
permissions:
contents: readbetween line 5 (name: Build .NET) and line 7 (on:). This ensures both jobs run with a read-only GITHUB_TOKEN and resolves the CodeQL warning.
| @@ -4,6 +4,9 @@ | ||
|
|
||
| name: Build .NET | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_call: | ||
| inputs: |
| runs-on: ubuntu-latest | ||
| needs: unit-test | ||
| if: ${{ inputs.run-integration-tests }} | ||
| strategy: | ||
| matrix: | ||
| DRIVING: | ||
| - AGNOSTIC | ||
| fail-fast: false | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
|
|
||
| - uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1 | ||
| with: | ||
| dotnet-version: ${{ inputs.dotnet-version }} | ||
|
|
||
| - name: Install SSL Certificates | ||
| run: dotnet dev-certs https --trust | ||
|
|
||
| - name: Install Azure Functions Core Tools | ||
| run: | | ||
| curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg | ||
| sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/microsoft.gpg | ||
| sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-ubuntu-$(lsb_release -cs 2>/dev/null)-prod $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/dotnetdev.list' | ||
| sudo apt-get update | ||
| sudo apt-get install azure-functions-core-tools-4 | ||
| func --version | ||
|
|
||
| - name: .NET Restore | ||
| shell: bash | ||
| run: | | ||
| cd ${{ inputs.working-directory }} | ||
| dotnet restore Stickerlandia.UserManagement.sln | ||
|
|
||
| - name: Run Integration Tests | ||
| shell: bash | ||
| env: | ||
| DRIVING: ${{ matrix.DRIVING }} | ||
| DRIVEN: AGNOSTIC | ||
| run: | | ||
| cd ${{ inputs.working-directory }}/tests/Stickerlandia.UserManagement.IntegrationTest | ||
| dotnet test --logger:"console;verbosity=detailed" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
In general, the fix is to explicitly specify a permissions block in the workflow (either at the root so it applies to all jobs, or per-job) that grants only what is needed. This workflow appears to only need to read repository contents (for actions/checkout) and does not interact with issues, PRs, or other write APIs, so contents: read is sufficient.
The best minimal change is to add a root-level permissions block under the name (and before on:) so it applies to both unit-test and integration-test jobs. The block should set contents: read to match CodeQL’s suggested minimal starting point. No other scopes (like pull-requests or issues) are required by any shown step. No imports or other code changes are necessary since this is a YAML workflow-only change.
Concretely, edit .github/workflows/_build-dotnet.yml and insert:
permissions:
contents: readbetween the name: Build .NET line and the on: block. This will limit the GITHUB_TOKEN for all jobs in this workflow without changing existing functionality.
| @@ -4,6 +4,9 @@ | ||
|
|
||
| name: Build .NET | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_call: | ||
| inputs: |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
|
|
||
| - name: Set up Go | ||
| uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 | ||
| with: | ||
| go-version: ${{ inputs.go-version }} | ||
| cache-dependency-path: ${{ inputs.working-directory }}/go.sum | ||
|
|
||
| - name: Download dependencies | ||
| run: | | ||
| cd ${{ inputs.working-directory }} | ||
| go mod download | ||
|
|
||
| - name: Build | ||
| run: | | ||
| cd ${{ inputs.working-directory }} | ||
| go build -v ./... | ||
|
|
||
| - name: Run Unit Tests | ||
| run: | | ||
| cd ${{ inputs.working-directory }} | ||
| make test | ||
|
|
||
| - name: Run Integration Tests | ||
| run: | | ||
| cd ${{ inputs.working-directory }} | ||
| make test-integration | ||
|
|
||
| - name: Run Go Vet | ||
| run: | | ||
| cd ${{ inputs.working-directory }} | ||
| go vet ./... | ||
|
|
||
| - name: Run Go Fmt Check | ||
| run: | | ||
| cd ${{ inputs.working-directory }} | ||
| if [ "$(gofmt -s -l . | wc -l)" -gt 0 ]; then | ||
| echo "Code is not formatted properly:" | ||
| gofmt -s -l . | ||
| exit 1 | ||
| fi | ||
|
|
||
| - name: Install CodeQL CLI | ||
| if: ${{ inputs.run-codeql }} | ||
| run: | | ||
| wget -q https://github.com/github/codeql-cli-binaries/releases/latest/download/codeql-linux64.zip | ||
| unzip -q codeql-linux64.zip | ||
| sudo mv codeql /opt/codeql | ||
| echo "/opt/codeql" >> $GITHUB_PATH | ||
| /opt/codeql/codeql version --format=text | ||
|
|
||
| - name: Create CodeQL Database | ||
| if: ${{ inputs.run-codeql }} | ||
| run: | | ||
| cd ${{ inputs.working-directory }} | ||
| codeql database create cql-db --language=go --source-root=. |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
In general, the fix is to explicitly declare a permissions: block to restrict the default GITHUB_TOKEN permissions for this workflow/job to the minimum required. Since this workflow only checks out code and runs local Go tooling, it likely needs at most read access to repository contents, and no write permissions.
The best fix with minimal behavioural change is to add a top-level permissions: block (so it applies to all jobs in this workflow) setting contents: read. This aligns with the CodeQL recommendation and the principle of least privilege. Concretely, in .github/workflows/_build-go.yml, insert a new block after the name: Build Go line:
permissions:
contents: readNo other changes, imports, or definitions are required, and the existing steps (checkout, Go setup, builds, tests, CodeQL CLI install) will continue to work as before.
| @@ -4,6 +4,9 @@ | ||
|
|
||
| name: Build Go | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_call: | ||
| inputs: |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
|
|
||
| - name: Set up JDK ${{ inputs.java-version }} | ||
| uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 | ||
| with: | ||
| java-version: ${{ inputs.java-version }} | ||
| distribution: ${{ inputs.java-distribution }} | ||
| cache: maven | ||
|
|
||
| - name: Build with Maven | ||
| run: | | ||
| cd ${{ inputs.working-directory }} | ||
| ./mvnw clean package -DskipTests | ||
|
|
||
| - name: Run Unit Tests | ||
| run: | | ||
| cd ${{ inputs.working-directory }} | ||
| ./mvnw test | ||
|
|
||
| - name: Run Integration Tests | ||
| run: | | ||
| cd ${{ inputs.working-directory }} | ||
| ./mvnw verify -Dskip.unit.tests=true -DskipITs=false | ||
|
|
||
| - name: Install CodeQL CLI | ||
| if: ${{ inputs.run-codeql }} | ||
| run: | | ||
| wget -q https://github.com/github/codeql-cli-binaries/releases/latest/download/codeql-linux64.zip | ||
| unzip -q codeql-linux64.zip | ||
| sudo mv codeql /opt/codeql | ||
| echo "/opt/codeql" >> $GITHUB_PATH | ||
| /opt/codeql/codeql version --format=text | ||
|
|
||
| - name: Create CodeQL Database | ||
| if: ${{ inputs.run-codeql }} | ||
| run: | | ||
| cd ${{ inputs.working-directory }} | ||
| codeql database create cql-db --language=java --source-root=. | ||
|
|
||
| - name: Install CodeQL Packs | ||
| if: ${{ inputs.run-codeql }} | ||
| run: | | ||
| cd ${{ inputs.working-directory }} | ||
| codeql pack install cql-queries/ | ||
|
|
||
| - name: Validate Architecture Rules | ||
| if: ${{ inputs.run-architecture-validation }} | ||
| run: | | ||
| cd ${{ inputs.working-directory }} | ||
| ./scripts/validate-architecture.sh |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
In general, the fix is to explicitly define a minimal permissions: block so that the GITHUB_TOKEN used in this workflow is limited to the least privileges necessary. This can be done either at the workflow root (applies to all jobs) or under the specific job. Since this workflow currently has a single job, both approaches are equivalent in effect; defining it at the root is clearer and scales better if more jobs are added later.
The single best fix here is to add a root‑level permissions: block just after the on: configuration and before jobs:. The job uses actions/checkout, which requires contents: read to fetch the repository. None of the steps writes to the repo or interacts with pull requests/issues, so contents: read is sufficient. No imports or extra definitions are needed because this is YAML configuration only. Specifically, edit .github/workflows/_build-java.yml to insert:
permissions:
contents: readbetween the on: block (lines 7–34) and the jobs: block (line 35). This constrains the GITHUB_TOKEN to read‑only contents while preserving all existing functionality.
| @@ -32,6 +32,9 @@ | ||
| type: boolean | ||
| default: true | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| build-and-test: | ||
| runs-on: ubuntu-latest |
415f51a to
2e6ee2c
Compare
2e6ee2c to
96b3271
Compare
No description provided.