Conversation
jackpooleyml
force-pushed
the
jack/swift-sessions-demo
branch
7 times, most recently
from
02abd88 to
4156b29
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Rust SDK - latest | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| config: | ||
| - debug | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| submodules: recursive | ||
|
|
||
| - name: Run sccache-cache | ||
| uses: mozilla-actions/sccache-action@v0.0.4 | ||
|
|
||
| - name: Install Rust | ||
| run: | | ||
| rustup update stable && rustup default stable | ||
| rustup toolchain install nightly | ||
|
|
||
| - name: Run rustfmt | ||
| run: | | ||
| rustup component add rustfmt --toolchain nightly | ||
| cargo +nightly fmt --all -- --check | ||
| working-directory: packages/sdk-platforms/rust/zksync-sso | ||
|
|
||
| - name: Install Anvil ZKsync Manually | ||
| run: | | ||
| SCRIPT_PATH=".github/workflows/scripts/install-anvil-zksync.sh" | ||
| chmod +x "$SCRIPT_PATH" | ||
| sh "$SCRIPT_PATH" | ||
|
|
||
| - name: Setup pnpm | ||
| uses: pnpm/action-setup@v4 | ||
| with: | ||
| version: 9.11.0 | ||
|
|
||
| - name: Use Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: lts/Iron | ||
| cache: pnpm | ||
|
|
||
| - name: Install dependencies | ||
| run: pnpm install -r --frozen-lockfile | ||
|
|
||
| - name: Install contract dependencies | ||
| run: pnpm install -r --frozen-lockfile | ||
| working-directory: packages/contracts | ||
|
|
||
| - name: Build contracts | ||
| run: pnpm build | ||
| working-directory: packages/contracts | ||
|
|
||
| - name: Run clippy | ||
| run: | | ||
| rustup component add clippy --toolchain stable | ||
| cargo clippy --all-targets -- -D warnings | ||
| working-directory: packages/sdk-platforms/rust/zksync-sso | ||
|
|
||
| - name: Run rust tests | ||
| run: cargo test | ||
| working-directory: packages/sdk-platforms/rust/zksync-sso No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, you should add a permissions block to the workflow to explicitly restrict the permissions granted to the GITHUB_TOKEN. The best way to do this is to add the block at the root level of the workflow file, so it applies to all jobs unless overridden. Since the workflow only checks out code, installs dependencies, builds, and runs tests, it does not appear to require any write permissions. Therefore, the minimal starting point is to set contents: read, which allows the workflow to read repository contents but not modify them. This change should be made at the top level of .github/workflows/ci-rust.yml, immediately after the name field and before the on field.
| @@ -1,3 +1,5 @@ | ||
| permissions: | ||
| contents: read | ||
| name: Rust CI | ||
|
|
||
| on: |
jackpooleyml
force-pushed
the
jack/swift-sessions-demo
branch
2 times, most recently
from
a8c8895 to
608559c
Compare
jackpooleyml
force-pushed
the
jack/swift-sessions-demo
branch
from
519df56 to
96320ae
Compare
cpb8010
left a comment
cpb8010
left a comment
There was a problem hiding this comment.
I'm approving this based on the CI passing!
2 participants
Description
This is the first in a series of PRs implementing example code for SSO Sessions in the Swift Example app.
This PR includes:
Future PRs will add: