Skip to content
Closed
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions .github/actions/setup-cdk/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0.
# This product includes software developed at Datadog (https://www.datadoghq.com/).
# Copyright 2025-Present Datadog, Inc.

name: 'Setup CDK'
description: 'Sets up AWS CDK and installs shared constructs'

inputs:
node-version:
description: 'Node.js version to use'
required: false
default: '20'
aws-role-arn:
description: 'AWS IAM role ARN to assume'
required: true
aws-region:
description: 'AWS region'
required: false
default: 'eu-west-1'

runs:
using: 'composite'
steps:
- name: Set up Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: ${{ inputs.node-version }}

- name: Install CDK
shell: bash
run: npm install -g aws-cdk

- name: Install shared constructs
shell: bash
run: |
cd shared/lib/shared-constructs
npm i

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df
with:
role-to-assume: ${{ inputs.aws-role-arn }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ inputs.aws-region }}

- name: Set Commit Hash Environment Variables
shell: bash
run: |
echo "sha_short=$(git rev-parse --short "$GITHUB_SHA")" >> "$GITHUB_ENV"
echo "sha_full=$(git rev-parse "$GITHUB_SHA")" >> "$GITHUB_ENV"
88 changes: 88 additions & 0 deletions .github/workflows/_build-dotnet.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
# Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0.
# This product includes software developed at Datadog (https://www.datadoghq.com/).
# Copyright 2025-Present Datadog, Inc.

name: Build .NET

on:
workflow_call:
inputs:
dotnet-version:
description: '.NET version to use'
required: false
type: string
default: '10.0.x'
working-directory:
description: 'Working directory for the service'
required: true
type: string
solution-file:
description: 'Solution file name'
required: false
type: string
default: '*.sln'
run-integration-tests:
description: 'Whether to run integration tests'
required: false
type: boolean
default: true

jobs:
unit-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
with:
dotnet-version: ${{ inputs.dotnet-version }}

- name: Run Unit Tests
shell: bash
run: |
cd ${{ inputs.working-directory }}/tests/Stickerlandia.UserManagement.UnitTest
dotnet test

integration-test:
Comment on lines +32 to +46

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

In general, the fix is to add an explicit permissions block that restricts the GITHUB_TOKEN to the minimum required scope. Since this workflow only checks out code and runs .NET tests, it needs only read access to repository contents (or possibly no token at all, but contents: read is the common secure baseline).

The best minimal fix without changing functionality is to add a top-level permissions block so it applies to all jobs (unit-test and integration-test). Place it after name: Build .NET and before the on: block to make the configuration clear and conventional. Set contents: read as recommended by CodeQL. No additional methods, imports, or definitions are needed in YAML; we only add that block.

Concretely, in .github/workflows/_build-dotnet.yml, insert:

permissions:
  contents: read

between line 5 (name: Build .NET) and line 7 (on:). This ensures both jobs run with a read-only GITHUB_TOKEN and resolves the CodeQL warning.

Suggested changeset 1
.github/workflows/_build-dotnet.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/_build-dotnet.yml b/.github/workflows/_build-dotnet.yml
--- a/.github/workflows/_build-dotnet.yml
+++ b/.github/workflows/_build-dotnet.yml
@@ -4,6 +4,9 @@
 
 name: Build .NET
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
EOF
@@ -4,6 +4,9 @@

name: Build .NET

permissions:
contents: read

on:
workflow_call:
inputs:
Copilot is powered by AI and may make mistakes. Always verify output.
runs-on: ubuntu-latest
needs: unit-test
if: ${{ inputs.run-integration-tests }}
strategy:
matrix:
DRIVING:
- AGNOSTIC
fail-fast: false

steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
with:
dotnet-version: ${{ inputs.dotnet-version }}

- name: Install SSL Certificates
run: dotnet dev-certs https --trust

- name: Install Azure Functions Core Tools
run: |
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/microsoft.gpg
sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-ubuntu-$(lsb_release -cs 2>/dev/null)-prod $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/dotnetdev.list'
sudo apt-get update
sudo apt-get install azure-functions-core-tools-4
func --version

- name: .NET Restore
shell: bash
run: |
cd ${{ inputs.working-directory }}
dotnet restore Stickerlandia.UserManagement.sln

- name: Run Integration Tests
shell: bash
env:
DRIVING: ${{ matrix.DRIVING }}
DRIVEN: AGNOSTIC
run: |
cd ${{ inputs.working-directory }}/tests/Stickerlandia.UserManagement.IntegrationTest
dotnet test --logger:"console;verbosity=detailed"
Comment on lines +47 to +88

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

In general, the fix is to explicitly specify a permissions block in the workflow (either at the root so it applies to all jobs, or per-job) that grants only what is needed. This workflow appears to only need to read repository contents (for actions/checkout) and does not interact with issues, PRs, or other write APIs, so contents: read is sufficient.

The best minimal change is to add a root-level permissions block under the name (and before on:) so it applies to both unit-test and integration-test jobs. The block should set contents: read to match CodeQL’s suggested minimal starting point. No other scopes (like pull-requests or issues) are required by any shown step. No imports or other code changes are necessary since this is a YAML workflow-only change.

Concretely, edit .github/workflows/_build-dotnet.yml and insert:

permissions:
  contents: read

between the name: Build .NET line and the on: block. This will limit the GITHUB_TOKEN for all jobs in this workflow without changing existing functionality.

Suggested changeset 1
.github/workflows/_build-dotnet.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/_build-dotnet.yml b/.github/workflows/_build-dotnet.yml
--- a/.github/workflows/_build-dotnet.yml
+++ b/.github/workflows/_build-dotnet.yml
@@ -4,6 +4,9 @@
 
 name: Build .NET
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
EOF
@@ -4,6 +4,9 @@

name: Build .NET

permissions:
contents: read

on:
workflow_call:
inputs:
Copilot is powered by AI and may make mistakes. Always verify output.
84 changes: 84 additions & 0 deletions .github/workflows/_build-go.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
# Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0.
# This product includes software developed at Datadog (https://www.datadoghq.com/).
# Copyright 2025-Present Datadog, Inc.

name: Build Go

on:
workflow_call:
inputs:
go-version:
description: 'Go version to use'
required: false
type: string
default: '1.21'
working-directory:
description: 'Working directory for the service'
required: true
type: string
run-codeql:
description: 'Whether to run CodeQL analysis'
required: false
type: boolean
default: true

jobs:
build-and-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Set up Go
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: ${{ inputs.go-version }}
cache-dependency-path: ${{ inputs.working-directory }}/go.sum

- name: Download dependencies
run: |
cd ${{ inputs.working-directory }}
go mod download

- name: Build
run: |
cd ${{ inputs.working-directory }}
go build -v ./...

- name: Run Unit Tests
run: |
cd ${{ inputs.working-directory }}
make test

- name: Run Integration Tests
run: |
cd ${{ inputs.working-directory }}
make test-integration

- name: Run Go Vet
run: |
cd ${{ inputs.working-directory }}
go vet ./...

- name: Run Go Fmt Check
run: |
cd ${{ inputs.working-directory }}
if [ "$(gofmt -s -l . | wc -l)" -gt 0 ]; then
echo "Code is not formatted properly:"
gofmt -s -l .
exit 1
fi

- name: Install CodeQL CLI
if: ${{ inputs.run-codeql }}
run: |
wget -q https://github.com/github/codeql-cli-binaries/releases/latest/download/codeql-linux64.zip
unzip -q codeql-linux64.zip
sudo mv codeql /opt/codeql
echo "/opt/codeql" >> $GITHUB_PATH
/opt/codeql/codeql version --format=text

- name: Create CodeQL Database
if: ${{ inputs.run-codeql }}
run: |
cd ${{ inputs.working-directory }}
codeql database create cql-db --language=go --source-root=.
Comment on lines +27 to +84

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

In general, the fix is to explicitly declare a permissions: block to restrict the default GITHUB_TOKEN permissions for this workflow/job to the minimum required. Since this workflow only checks out code and runs local Go tooling, it likely needs at most read access to repository contents, and no write permissions.

The best fix with minimal behavioural change is to add a top-level permissions: block (so it applies to all jobs in this workflow) setting contents: read. This aligns with the CodeQL recommendation and the principle of least privilege. Concretely, in .github/workflows/_build-go.yml, insert a new block after the name: Build Go line:

permissions:
  contents: read

No other changes, imports, or definitions are required, and the existing steps (checkout, Go setup, builds, tests, CodeQL CLI install) will continue to work as before.

Suggested changeset 1
.github/workflows/_build-go.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/_build-go.yml b/.github/workflows/_build-go.yml
--- a/.github/workflows/_build-go.yml
+++ b/.github/workflows/_build-go.yml
@@ -4,6 +4,9 @@
 
 name: Build Go
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
EOF
@@ -4,6 +4,9 @@

name: Build Go

permissions:
contents: read

on:
workflow_call:
inputs:
Copilot is powered by AI and may make mistakes. Always verify output.
88 changes: 88 additions & 0 deletions .github/workflows/_build-java.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
# Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0.
# This product includes software developed at Datadog (https://www.datadoghq.com/).
# Copyright 2025-Present Datadog, Inc.

name: Build Java

on:
workflow_call:
inputs:
java-version:
description: 'Java version to use'
required: false
type: string
default: '21'
java-distribution:
description: 'Java distribution to use'
required: false
type: string
default: 'temurin'
working-directory:
description: 'Working directory for the service'
required: true
type: string
run-codeql:
description: 'Whether to run CodeQL analysis'
required: false
type: boolean
default: true
run-architecture-validation:
description: 'Whether to run architecture validation'
required: false
type: boolean
default: true

jobs:
build-and-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Set up JDK ${{ inputs.java-version }}
uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
with:
java-version: ${{ inputs.java-version }}
distribution: ${{ inputs.java-distribution }}
cache: maven

- name: Build with Maven
run: |
cd ${{ inputs.working-directory }}
./mvnw clean package -DskipTests

- name: Run Unit Tests
run: |
cd ${{ inputs.working-directory }}
./mvnw test

- name: Run Integration Tests
run: |
cd ${{ inputs.working-directory }}
./mvnw verify -Dskip.unit.tests=true -DskipITs=false

- name: Install CodeQL CLI
if: ${{ inputs.run-codeql }}
run: |
wget -q https://github.com/github/codeql-cli-binaries/releases/latest/download/codeql-linux64.zip
unzip -q codeql-linux64.zip
sudo mv codeql /opt/codeql
echo "/opt/codeql" >> $GITHUB_PATH
/opt/codeql/codeql version --format=text

- name: Create CodeQL Database
if: ${{ inputs.run-codeql }}
run: |
cd ${{ inputs.working-directory }}
codeql database create cql-db --language=java --source-root=.

- name: Install CodeQL Packs
if: ${{ inputs.run-codeql }}
run: |
cd ${{ inputs.working-directory }}
codeql pack install cql-queries/

- name: Validate Architecture Rules
if: ${{ inputs.run-architecture-validation }}
run: |
cd ${{ inputs.working-directory }}
./scripts/validate-architecture.sh
Comment on lines +37 to +88

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

In general, the fix is to explicitly define a minimal permissions: block so that the GITHUB_TOKEN used in this workflow is limited to the least privileges necessary. This can be done either at the workflow root (applies to all jobs) or under the specific job. Since this workflow currently has a single job, both approaches are equivalent in effect; defining it at the root is clearer and scales better if more jobs are added later.

The single best fix here is to add a root‑level permissions: block just after the on: configuration and before jobs:. The job uses actions/checkout, which requires contents: read to fetch the repository. None of the steps writes to the repo or interacts with pull requests/issues, so contents: read is sufficient. No imports or extra definitions are needed because this is YAML configuration only. Specifically, edit .github/workflows/_build-java.yml to insert:

permissions:
  contents: read

between the on: block (lines 7–34) and the jobs: block (line 35). This constrains the GITHUB_TOKEN to read‑only contents while preserving all existing functionality.

Suggested changeset 1
.github/workflows/_build-java.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/_build-java.yml b/.github/workflows/_build-java.yml
--- a/.github/workflows/_build-java.yml
+++ b/.github/workflows/_build-java.yml
@@ -32,6 +32,9 @@
         type: boolean
         default: true
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
EOF
@@ -32,6 +32,9 @@
type: boolean
default: true

permissions:
contents: read

jobs:
build-and-test:
runs-on: ubuntu-latest
Copilot is powered by AI and may make mistakes. Always verify output.
60 changes: 60 additions & 0 deletions .github/workflows/_build-node.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
# Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0.
# This product includes software developed at Datadog (https://www.datadoghq.com/).
# Copyright 2025-Present Datadog, Inc.

name: Build Node.js

on:
workflow_call:
inputs:
node-version:
description: 'Node.js version to use'
required: false
type: string
default: '18'
working-directory:
description: 'Working directory for the service'
required: true
type: string
run-tests:
description: 'Whether to run tests'
required: false
type: boolean
default: false
run-format-check:
description: 'Whether to run format check'
required: false
type: boolean
default: true

jobs:
build-and-test:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Set up Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: ${{ inputs.node-version }}
cache: 'npm'
cache-dependency-path: ${{ inputs.working-directory }}/package-lock.json

- name: Install dependencies
run: |
cd ${{ inputs.working-directory }}
npm ci

- name: Check code formatting
if: ${{ inputs.run-format-check }}
run: |
cd ${{ inputs.working-directory }}
npx prettier --check . || echo "No prettier config found, skipping format check"

- name: Run tests
if: ${{ inputs.run-tests }}
run: |
cd ${{ inputs.working-directory }}
npm test
Loading
Loading