Skip to content

Wrorflows #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kromsten wants to merge 15 commits into
base: main
Choose a base branch
from
Open

Wrorflows #5

Changes from 7 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
ff6f0fa
clippy fix attempt
kromsten Sep 10, 2025
92cac14
fix GHAPH
kromsten Sep 11, 2025
2dcb597
clippy fix attemp
kromsten Sep 11, 2025
c46ba86
clippy fix attempt #2
kromsten Sep 11, 2025
ac8655f
clippy fix attempt #3
kromsten Sep 11, 2025
4d364bb
clippy fix attempt #4
kromsten Sep 11, 2025
0066822
clippy fix attempt #5
kromsten Sep 11, 2025
d4b87c1
clippy fix attempt #6
kromsten Sep 11, 2025
a281bef
clippy fix attempt #7
kromsten Sep 11, 2025
52aa02b
clippy fix attempt #8
kromsten Sep 11, 2025
025f4e4
clippy fix attempt #9
kromsten Sep 11, 2025
8b633e8
clippy fix attempt #10
kromsten Sep 11, 2025
d68411c
vitest and other tweasks
kromsten Sep 11, 2025
ea3f08a
added vite coverate
kromsten Sep 11, 2025
b7670c5
ignore glows
kromsten Sep 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 29 additions & 8 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,36 @@
name: Rust-Build
name: Build Package CI

on:
push:
branches:
- main
branches: [main]
pull_request:
types: [opened, synchronize, reopened]
types: [opened, synchronize, opened]

Copilot AI Sep 11, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request trigger has 'opened' listed twice. This should be 'reopened' instead of the duplicate 'opened'.

Suggested change
types: [opened, synchronize, opened]
types: [opened, synchronize, reopened]

Copilot uses AI. Check for mistakes.

@sourcery-ai sourcery-ai Bot Sep 11, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: Duplicate 'opened' event type in pull_request triggers.

Please remove the duplicate 'opened' event to keep the trigger list clear and concise.

Suggested change
pull_request:
types: [opened, synchronize, reopened]
types: [opened, synchronize, opened]
pull_request:
types: [opened, synchronize]

Comment thread
kromsten marked this conversation as resolved.
Outdated
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Outdated
workflow_dispatch:
inputs:
beta_release:
description: Create beta release
type: boolean
default: false
required: false

env:
NODE_VERSION: "22"

@coderabbitai coderabbitai Bot Sep 11, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Add top‑level default permissions.

Set least‑privilege defaults; override per job as needed.

 env:
   NODE_VERSION: "22"
+
+permissions:
+  contents: read
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
env:
NODE_VERSION: "22"
env:
NODE_VERSION: "22"
permissions:
contents: read
🤖 Prompt for AI Agents 
In .github/workflows/build.yml around lines 16-17, add a top-level permissions
block to enforce least-privilege defaults (for example grant only the minimal
scopes like contents: read and actions: read) and then raise permissions per-job
where necessary; update the workflow YAML to include a top-level permissions:
{...} section and ensure any job that needs broader permissions explicitly
overrides it.


concurrency:
group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && 'main' || github.head_ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Outdated

jobs:
optimize_ci:
runs-on: ubuntu-latest
outputs:
skip: ${{ steps.check_skip.outputs.skip }}
steps:
Comment on lines +23 to +25

@coderabbitai coderabbitai Bot Sep 11, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix outputs reference to undefined step (breaks evaluation).

steps.defaults doesn’t exist; actionlint flags it and GitHub will treat it as invalid. Default to 'false' directly.

   outputs:
-      skip: ${{ steps.check_skip.outputs.skip || steps.defaults.outputs.skip }}
+      skip: ${{ steps.check_skip.outputs.skip || 'false' }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
outputs:
skip: ${{ steps.check_skip.outputs.skip || steps.defaults.outputs.skip }}
steps:
outputs:
skip: ${{ steps.check_skip.outputs.skip || 'false' }}
steps:
🧰 Tools
🪛 actionlint (1.7.7)

24-24: property "defaults" is not defined in object type {check_skip: {conclusion: string; outcome: string; outputs: {string => string}}}

(expression)

🤖 Prompt for AI Agents 
.github/workflows/build.yml lines 23-25: the outputs expression references a
non-existent step "steps.defaults", causing actionlint/GitHub validation to
fail; replace that reference with a literal false default so the line becomes an
OR against false (i.e. use ${{ steps.check_skip.outputs.skip || false }}),
ensuring the workflow evaluates correctly without relying on an undefined step.

- uses: withgraphite/graphite-ci-action@main

Check warning on line 29 in .github/workflows/build.yml

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

.github/workflows/build.yml#L29 

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
Comment thread
kromsten marked this conversation as resolved.
Comment thread
kromsten marked this conversation as resolved.
Comment thread
kromsten marked this conversation as resolved.
id: check_skip
with:
graphite_token: ${{ secrets.GRAPHITE_TOKEN }}
Comment on lines +22 to +30

@coderabbitai coderabbitai Bot Sep 11, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Harden optimize_ci: pin action, add least-privilege perms, handle forks/no secret, and default skip=false.

Prevents supply-chain, missing-secret, and output issues that would block downstream jobs.

  optimize_ci:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
    outputs:
-      skip: ${{ steps.check_skip.outputs.skip }}
+      skip: ${{ steps.check_skip.outputs.skip || steps.defaults.outputs.skip }}
    steps:
+      - name: Default skip=false
+        id: defaults
+        run: echo "skip=false" >> "$GITHUB_OUTPUT"
-      - uses: withgraphite/graphite-ci-action@v0.0.9
+      - uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA>
+        if: ${{ secrets.GRAPHITE_TOKEN != '' }}
         id: check_skip
         with:
           graphite_token: ${{ secrets.GRAPHITE_TOKEN }}

Follow-up: replace <PINNED_COMMIT_SHA> with the exact commit SHA you trust.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
runs-on: ubuntu-latest
outputs:
skip: ${{ steps.check_skip.outputs.skip }}
steps:
- uses: withgraphite/graphite-ci-action@v0.0.9
id: check_skip
with:
graphite_token: ${{ secrets.GRAPHITE_TOKEN }}
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
outputs:
skip: ${{ steps.check_skip.outputs.skip || steps.defaults.outputs.skip }}
steps:
- name: Default skip=false
id: defaults
run: echo "skip=false" >> "$GITHUB_OUTPUT"
- uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA>
if: ${{ secrets.GRAPHITE_TOKEN != '' }}
id: check_skip
with:
graphite_token: ${{ secrets.GRAPHITE_TOKEN }}
🧰 Tools
🪛 GitHub Check: Codacy Static Code Analysis

[warning] 26-26: .github/workflows/build.yml#L26
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.

[warning] 26-26: .github/workflows/build.yml#L26
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.

[warning] 29-29: .github/workflows/build.yml#L29
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.


Comment on lines +24 to +31

@coderabbitai coderabbitai Bot Sep 11, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Pin external action and wire permissions; also ensure optimize_ci output is actually used.

  • withgraphite/graphite-ci-action is referenced via @main. Pin to a commit SHA for supply-chain safety.
  • Set least-privilege permissions explicitly (contents: read, pull-requests: read).
  • Right now, no downstream job depends on this output; add needs/if in other jobs.

Would you like me to open a follow-up PR to pin all third‑party actions to SHAs and add a permissions block?

   optimize_ci:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     outputs:
       skip: ${{ steps.check_skip.outputs.skip }}
     steps:
-      - uses: withgraphite/graphite-ci-action@main
+      - uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA>
         id: check_skip
         with:
           graphite_token: ${{ secrets.GRAPHITE_TOKEN }}

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== SHOW: .github/workflows/build.yml (up to 400 lines) ==="
if [ -f ".github/workflows/build.yml" ]; then
  sed -n '1,400p' .github/workflows/build.yml || true
else
  echo "FILE NOT FOUND: .github/workflows/build.yml"
fi

echo
echo "=== SEARCH: occurrences of 'optimize_ci' in .github/workflows ==="
rg -n --hidden -S "optimize_ci" .github || true

echo
echo "=== SEARCH: occurrences of withgraphite action across repo ==="
rg -n --hidden -S "withgraphite/graphite-ci-action" || true

echo
echo "=== SEARCH: workflows referencing '@main' for actions under .github ==="
rg -n --hidden -S "@main" .github || true

echo
echo "=== SEARCH: any 'permissions:' blocks in .github workflows (with context) ==="
rg -n --hidden -S "permissions:" .github -C3 || true

echo
echo "=== SEARCH: references to optimize_ci outputs (needs.optimize_ci.outputs or check_skip.outputs.skip) across repo ==="
rg -n --hidden -S "needs\.optimize_ci\.outputs|check_skip\.outputs\.skip|steps\.check_skip\.outputs\.skip" || true

echo
echo "=== SEARCH: any uses of 'graphite_token' or GRAPHITE_TOKEN secret ==="
rg -n --hidden -S "GRAPHITE_TOKEN|graphite_token" || true

Length of output: 4220

Pin third‑party actions, add least‑privilege permissions, and wire optimize_ci output

  • withgraphite/graphite-ci-action@main is unpinned — pin to a commit SHA for supply‑chain safety. Also pin other @main usages (e.g., qltysh/qlty-action/coverage@main).
  • Add explicit, least‑privilege permissions to the optimize_ci job (contents: read, pull-requests: read).
  • optimize_ci.outputs.skip is not consumed by any downstream job; either make downstream jobs depend on it (needs/if) or remove the output/step.

File: .github/workflows/build.yml (optimize_ci block)

  optimize_ci:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
    outputs:
      skip: ${{ steps.check_skip.outputs.skip }}
    steps:
-      - uses: withgraphite/graphite-ci-action@main
+      - uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA>
         id: check_skip
         with:
           graphite_token: ${{ secrets.GRAPHITE_TOKEN }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
optimize_ci:
runs-on: ubuntu-latest
outputs:
skip: ${{ steps.check_skip.outputs.skip }}
steps:
- uses: withgraphite/graphite-ci-action@main
id: check_skip
with:
graphite_token: ${{ secrets.GRAPHITE_TOKEN }}
optimize_ci:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
outputs:
skip: ${{ steps.check_skip.outputs.skip }}
steps:
- uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA>
id: check_skip
with:
graphite_token: ${{ secrets.GRAPHITE_TOKEN }}
🤖 Prompt for AI Agents 
.github/workflows/build.yml around lines 24-33: the optimize_ci job uses
third-party actions pinned to @main, lacks least-privilege permissions, and
exposes an outputs.skip value that no downstream job consumes; update the action
references to use specific commit SHAs (replace @main with the corresponding
commit SHAs for withgraphite/graphite-ci-action and any other @main usages like
qltysh/qlty-action/coverage), add a permissions block to the optimize_ci job
with minimal rights (e.g., permissions: contents: read, pull-requests: read),
and either wire optimize_ci.outputs.skip into downstream jobs by adding needs:
optimize_ci and using if: ${{ needs.optimize_ci.outputs.skip == 'false' }} (or
similar) on consumers, or remove the outputs and the check_skip step if it is
not used.

check:
name: Check
runs-on: ubuntu-latest
Expand Down Expand Up @@ -81,10 +105,7 @@
components: clippy

- name: Run clippy
uses: actions-rs/cargo@v1
with:
command: clippy
args: --tests -- -D warnings --message-format=json &> clippy_report.json
run: cargo clippy --message-format=json > clippy_report.json 2>&1

Comment thread
coderabbitai[bot] marked this conversation as resolved.
- name: Setup sonarqube
uses: warchant/setup-sonar-scanner@v3

@coderabbitai coderabbitai Bot Sep 11, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Pin Sonar scanner action to a commit SHA

Another third-party action that should be immutable.

-        uses: warchant/setup-sonar-scanner@v3
+        uses: warchant/setup-sonar-scanner@<PINNED_COMMIT_SHA>
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: warchant/setup-sonar-scanner@v3
uses: warchant/setup-sonar-scanner@<PINNED_COMMIT_SHA>
🤖 Prompt for AI Agents 
In .github/workflows/build.yml around line 115, the workflow uses the
third-party action via a mutable tag ("warchant/setup-sonar-scanner@v3"); change
this to an immutable commit SHA by replacing the tag with the specific commit
hash for the v3 release (e.g., "warchant/setup-sonar-scanner@<commit-sha>"),
fetching the latest commit SHA from the action's GitHub repository or release
and updating the workflow file accordingly so the action is pinned to that exact
commit.

Expand Down
Loading