Skip to content
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
196 changes: 99 additions & 97 deletions .github/workflows/build-and-test.yml
Original file line number Diff line number Diff line change
@@ -1,111 +1,113 @@
name: Lint, build, test, deploy and tag

on:
push:
branches:
- main
paths-ignore:
- "documentation/**"
push:
branches:
- main
paths-ignore:
- "documentation/**"

pull_request:
branches: [main]
types: [opened, synchronize]
paths-ignore:
- "documentation/**"
pull_request:
branches: [main]
types: [opened, synchronize]
paths-ignore:
- "documentation/**"
jobs:
Lint-Build-Test:
runs-on: ubuntu-22.04
environment: testing
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: "20"
Lint-Build-Test:
runs-on: ubuntu-22.04
environment: testing
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: "20"

- name: Install dependencies for frontend
run: cd frontend && npm install && cd ..
- name: Install dependencies for frontend
run: cd frontend && npm install && cd ..

- name: Install dependencies for backend
run: cd backend && npm install && cd ..
- name: Install dependencies for backend
run: cd backend && npm install && cd ..

- name: Lint frontend
run: cd frontend && npm run lint && cd ..
- name: Lint frontend
run: cd frontend && npm run lint && cd ..

- name: Lint backend
run: cd backend && npm run lint && cd ..
- name: Lint backend
run: cd backend && npm run lint && cd ..

- name: Build frontend
run: cd frontend && npm run build:testing
env:
VITE_MAPBOX_API: ${{ secrets.VITE_MAPBOX_API }}
VITE_FIREBASE_TESTING_API_KEY: ${{ secrets.VITE_FIREBASE_TESTING_API_KEY }}
VITE_FIREBASE_TESTING_AUTH_DOMAIN: ${{ secrets.VITE_FIREBASE_TESTING_AUTH_DOMAIN }}
VITE_FIREBASE_TESTING_PROJECT_ID: ${{ secrets.VITE_FIREBASE_TESTING_PROJECT_ID }}
VITE_FIREBASE_TESTING_STORAGE_BUCKET: ${{ secrets.VITE_FIREBASE_TESTING_STORAGE_BUCKET }}
VITE_FIREBASE_TESTING_MESSAGING_SENDER_ID: ${{ secrets.VITE_FIREBASE_TESTING_MESSAGING_SENDER_ID }}
VITE_FIREBASE_TESTING_APP_ID: ${{ secrets.VITE_FIREBASE_TESTING_APP_ID }}
MODE: testing
- name: Build frontend
run: cd frontend && npm run build:testing
env:
VITE_MAPBOX_API: ${{ secrets.VITE_MAPBOX_API }}
VITE_FIREBASE_TESTING_API_KEY: ${{ secrets.VITE_FIREBASE_TESTING_API_KEY }}
VITE_FIREBASE_TESTING_AUTH_DOMAIN: ${{ secrets.VITE_FIREBASE_TESTING_AUTH_DOMAIN }}
VITE_FIREBASE_TESTING_PROJECT_ID: ${{ secrets.VITE_FIREBASE_TESTING_PROJECT_ID }}
VITE_FIREBASE_TESTING_STORAGE_BUCKET: ${{ secrets.VITE_FIREBASE_TESTING_STORAGE_BUCKET }}
VITE_FIREBASE_TESTING_MESSAGING_SENDER_ID: ${{ secrets.VITE_FIREBASE_TESTING_MESSAGING_SENDER_ID }}
VITE_FIREBASE_TESTING_APP_ID: ${{ secrets.VITE_FIREBASE_TESTING_APP_ID }}
MODE: testing

- name: Build backend
run: cd backend && npm run build:testing
env:
NODE_ENV: test
MONGODB_TESTING_URI: ${{secrets.MONGODB_TEST_URI}}
SECRET: ${{ secrets.SECRET }}
PORT: ${{ secrets.PORT }}
FIREBASE_TESTING_CLIENT_EMAIL: ${{ secrets.FIREBASE_CLIENT_EMAIL }}
FIREBASE_TESTING_PRIVATE_KEY: ${{ secrets.FIREBASE_PRIVATE_KEY }}
FIREBASE_TESTING_PROJECT_ID: ${{ secrets.FIREBASE_PROJECT_ID }}
- name: Build backend
run: cd backend && npm run build:testing
env:
NODE_ENV: test
MONGODB_TESTING_URI: ${{secrets.MONGODB_TEST_URI}}
SECRET: ${{ secrets.SECRET }}
PORT: ${{ secrets.PORT }}
FIREBASE_TESTING_CLIENT_EMAIL: ${{ secrets.FIREBASE_CLIENT_EMAIL }}
FIREBASE_TESTING_PRIVATE_KEY: ${{ secrets.FIREBASE_PRIVATE_KEY }}
FIREBASE_TESTING_PROJECT_ID: ${{ secrets.FIREBASE_PROJECT_ID }}

- name: Start backend
run: |
cd backend && npm run start:built-testing &
for i in {1..50}; do
if curl --silent --fail http://localhost:${{ secrets.PORT }}/api/testing/reset > /dev/null; then
sleep 1
echo "Backend started"
break
fi
echo "Waiting for backend..."
sleep 1
done
env:
NODE_ENV: testing
MONGODB_TESTING_URI: ${{secrets.MONGODB_TEST_URI}}
SECRET: ${{ secrets.SECRET }}
PORT: ${{ secrets.PORT }}
FIREBASE_TESTING_CLIENT_EMAIL: ${{ secrets.FIREBASE_CLIENT_EMAIL }}
FIREBASE_TESTING_PRIVATE_KEY: ${{ secrets.FIREBASE_PRIVATE_KEY }}
FIREBASE_TESTING_PROJECT_ID: ${{ secrets.FIREBASE_PROJECT_ID }}
- name: Start backend
run: |
cd backend && npm run start:built-testing &
for i in {1..50}; do
if curl --silent --fail http://localhost:${{ secrets.PORT }}/api/testing/reset > /dev/null; then
sleep 1
echo "Backend started"
break
fi
echo "Waiting for backend..."
sleep 1
done
env:
NODE_ENV: testing
MONGODB_TESTING_URI: ${{secrets.MONGODB_TEST_URI}}
SECRET: ${{ secrets.SECRET }}
PORT: ${{ secrets.PORT }}
FIREBASE_TESTING_CLIENT_EMAIL: ${{ secrets.FIREBASE_CLIENT_EMAIL }}
FIREBASE_TESTING_PRIVATE_KEY: ${{ secrets.FIREBASE_PRIVATE_KEY }}
FIREBASE_TESTING_PROJECT_ID: ${{ secrets.FIREBASE_PROJECT_ID }}

- name: Cypress E2E tests
uses: cypress-io/github-action@v5
with:
working-directory: frontend
command: npm run cy:e2e
wait-on: ${{ secrets.CYPRESS_BASE_URL }}
env:
CYPRESS_TEST_EMAIL: ${{ secrets.CYPRESS_TEST_EMAIL }}
CYPRESS_BASE_URL: ${{ secrets.CYPRESS_BASE_URL }}
Deploy:
name: Deploy to Render
needs: Lint-Build-Test
runs-on: ubuntu-latest
environment: testing
if: ${{ github.event_name == 'push' && contains(github.event.head_commit.message, '#DEPLOY') }}
steps:
- name: Trigger deployment
run: curl ${{ secrets.RENDER_DEPLOY_URL }}
- name: Cypress E2E tests
uses: cypress-io/github-action@v5
with:
working-directory: frontend
command: npm run cy:e2e
wait-on: ${{ secrets.CYPRESS_BASE_URL }}
env:
CYPRESS_TEST_EMAIL: ${{ secrets.CYPRESS_TEST_EMAIL }}
CYPRESS_BASE_URL: ${{ secrets.CYPRESS_BASE_URL }}

Tag:
runs-on: ubuntu-latest
needs: Lint-Build-Test
if: ${{ github.event_name == 'push' && contains(github.event.head_commit.message, '#RELEASE') }}
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- uses: anothrNick/github-tag-action@1.67.0
name: Bump version and push tag
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DEFAULT_BUMP: patch
# now in our own VPS :)
# Deploy:
# name: Deploy to Render
# needs: Lint-Build-Test
# runs-on: ubuntu-latest
# environment: testing
# if: ${{ github.event_name == 'push' && contains(github.event.head_commit.message, '#DEPLOY') }}
# steps:
# - name: Trigger deployment
# run: curl ${{ secrets.RENDER_DEPLOY_URL }}

Tag:
Comment on lines +17 to +103

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 months ago

In general, the problem is fixed by adding an explicit permissions: block that grants only the minimal GITHUB_TOKEN scopes needed. This can be defined at the top level of the workflow (applying to all jobs) and overridden per-job where broader access is required.

For this workflow, the Lint-Build-Test job does not perform any repository writes; it only checks out code, installs dependencies, builds, and runs tests. It therefore only needs contents: read. The Tag job uses anothrNick/github-tag-action to create and push tags; this job needs contents: write. The best fix while preserving current behavior is:

  • Add a root-level permissions: block after name: (line 1) setting contents: read. This will apply to all jobs by default.
  • Add a permissions: block under the Tag: job (around line 103) specifying contents: write so that the tag action can still push tags.

No additional imports or methods are required; this is a pure workflow YAML change confined to .github/workflows/build-and-test.yml.

Suggested changeset 1
.github/workflows/build-and-test.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
--- a/.github/workflows/build-and-test.yml
+++ b/.github/workflows/build-and-test.yml
@@ -1,4 +1,6 @@
 name: Lint, build, test, deploy and tag
+permissions:
+  contents: read
 
 on:
   push:
@@ -104,6 +106,8 @@
     runs-on: ubuntu-latest
     needs: Lint-Build-Test
     if: ${{ github.event_name == 'push' && contains(github.event.head_commit.message, '#RELEASE') }}
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-node@v3
EOF
@@ -1,4 +1,6 @@
name: Lint, build, test, deploy and tag
permissions:
contents: read

on:
push:
@@ -104,6 +106,8 @@
runs-on: ubuntu-latest
needs: Lint-Build-Test
if: ${{ github.event_name == 'push' && contains(github.event.head_commit.message, '#RELEASE') }}
permissions:
contents: write
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
Copilot is powered by AI and may make mistakes. Always verify output.
runs-on: ubuntu-latest
needs: Lint-Build-Test
if: ${{ github.event_name == 'push' && contains(github.event.head_commit.message, '#RELEASE') }}
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- uses: anothrNick/github-tag-action@1.67.0
name: Bump version and push tag
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DEFAULT_BUMP: patch
Comment on lines +104 to +114

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 months ago

In general, the fix is to explicitly declare permissions for the workflow or for individual jobs so that the GITHUB_TOKEN has only the scopes required. Here, Lint-Build-Test only needs read access to checkout code and install dependencies, so it can be limited to contents: read. The Tag job needs to push tags, which requires contents: write.

The best way to fix this without changing existing functionality is:

  1. Add a workflow-level permissions block near the top (after name:) setting contents: read. This applies to all jobs by default.
  2. Add a permissions block under the Tag job that overrides the default and sets contents: write, allowing it to push tags.

Concretely:

  • Edit .github/workflows/build-and-test.yml.

  • Insert:

    permissions:
      contents: read

    between line 1 (name: ...) and line 3 (on:).

  • Under the Tag: job (after line 104 runs-on: ubuntu-latest), insert:

        permissions:
          contents: write

    preserving indentation. No imports or other definitions are needed.


Suggested changeset 1
.github/workflows/build-and-test.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
--- a/.github/workflows/build-and-test.yml
+++ b/.github/workflows/build-and-test.yml
@@ -1,5 +1,8 @@
 name: Lint, build, test, deploy and tag
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -102,6 +105,8 @@
 
   Tag:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     needs: Lint-Build-Test
     if: ${{ github.event_name == 'push' && contains(github.event.head_commit.message, '#RELEASE') }}
     steps:
EOF
@@ -1,5 +1,8 @@
name: Lint, build, test, deploy and tag

permissions:
contents: read

on:
push:
branches:
@@ -102,6 +105,8 @@

Tag:
runs-on: ubuntu-latest
permissions:
contents: write
needs: Lint-Build-Test
if: ${{ github.event_name == 'push' && contains(github.event.head_commit.message, '#RELEASE') }}
steps:
Copilot is powered by AI and may make mistakes. Always verify output.
Loading
Loading