chore: add workflow stubs for testing #312
Conversation
Temporary stubs to enable workflow_dispatch from feature branches. Will be replaced by full implementation when PR #311 is merged.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Claude finished @ignaciosantise's task in 34s —— View job Review Complete✅ No issues found Automated Checks✅ No external domain URLs detected The stub workflows are minimal and secure. They only use |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - run: echo "This is a stub. Run from feature branch with --ref" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 12 hours ago
In general, the fix is to explicitly define a permissions block for the workflow (or specific jobs) that grants only the minimal required scopes to GITHUB_TOKEN. For a stub job that only runs a shell echo command and does not interact with the GitHub API or repository contents, the safest and most accurate configuration is to fully disable GITHUB_TOKEN by setting permissions: {} at the workflow level.
Concretely, in .github/workflows/release-appkit.yaml, add a permissions: {} block near the top of the workflow (after the name: line and before on:) so that it applies to all jobs. This ensures that the stub job has no token permissions at all, matching its current behavior and not changing any existing functionality. No imports or additional definitions are needed because this is a YAML configuration change only.
| @@ -2,6 +2,8 @@ | ||
| # Real implementation is on chore/ci-improvements branch | ||
| name: Release AppKit | ||
|
|
||
| permissions: {} | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - run: echo "This is a stub. Run from feature branch with --ref" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 12 hours ago
In general, the fix is to explicitly define a permissions block for the workflow or for the specific job, setting the GITHUB_TOKEN to the minimal required permissions. Since this stub job does not interact with GitHub APIs at all, we can safely set permissions: contents: read at the workflow level, which is the typical minimal baseline and satisfies the CodeQL recommendation while preserving behavior.
The best way to fix this without changing functionality is to add a workflow-level permissions section just after the name field (around line 4), before the on: block. This ensures all jobs in this workflow default to these restricted permissions. Concretely, in .github/workflows/release-pos.yaml, insert:
permissions:
contents: readbetween the existing name: Release Mobile POS line and the on: block. No additional imports, methods, or other definitions are needed, as this is purely a YAML configuration change to the GitHub Actions workflow.
| @@ -1,6 +1,8 @@ | ||
| # Stub workflow to enable dispatch from feature branches | ||
| # Real implementation is on chore/ci-improvements branch | ||
| name: Release Mobile POS | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - run: echo "This is a stub. Run from feature branch with --ref" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 12 hours ago
In general, the fix is to explicitly specify permissions for the workflow or each job so that the GITHUB_TOKEN is restricted to the minimum needed (or fully disabled) rather than inheriting potentially broad repository defaults.
For this specific stub workflow, the job only prints a message and does not interact with the GitHub API, so the safest and least-privileged configuration is to set permissions: {} at the workflow (top) level. This disables all default permissions for GITHUB_TOKEN for all jobs in this workflow. Concretely, in .github/workflows/release-walletkit.yaml, add a permissions: {} block near the top-level metadata (e.g., after the name: line and before the on: block). No other functionality changes are required and no additional imports or methods are needed, since this is pure YAML configuration.
| @@ -1,6 +1,7 @@ | ||
| # Stub workflow to enable dispatch from feature branches | ||
| # Real implementation is on chore/ci-improvements branch | ||
| name: Release WalletKit | ||
| permissions: {} | ||
|
|
||
| on: | ||
| workflow_dispatch: |
There was a problem hiding this comment.
Pull request overview
This PR adds three stub workflow files to enable workflow_dispatch testing from feature branches. These are temporary placeholders that will be replaced when PR #311 is merged.
Changes:
- Added stub workflow files for AppKit, WalletKit, and Mobile POS releases
- Each stub defines workflow inputs matching the intended final implementation
- All stubs execute a simple echo statement to indicate they are placeholders
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/release-appkit.yaml | Stub workflow for AppKit releases with platform, release-type, and e2e-build inputs |
| .github/workflows/release-walletkit.yaml | Stub workflow for WalletKit releases with platform, release-type, and e2e-build inputs |
| .github/workflows/release-pos.yaml | Stub workflow for Mobile POS releases with platform and variant inputs |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - internal | ||
| - production | ||
| e2e-build: | ||
| description: 'Build for E2E tests (uploads to S3 for AppKit SDK repo tests)' |
There was a problem hiding this comment.
The description for the 'e2e-build' parameter mentions "AppKit SDK repo tests" in the WalletKit workflow. This should reference WalletKit instead of AppKit for consistency, since this is the WalletKit release workflow.
| description: 'Build for E2E tests (uploads to S3 for AppKit SDK repo tests)' | |
| description: 'Build for E2E tests (uploads to S3 for WalletKit SDK repo tests)' |
Summary
Temporary stub workflows to enable
workflow_dispatchfrom feature branches.These are placeholders that will be replaced by the full implementation when PR #311 is merged.
Purpose
Allows testing the consolidated workflows on
chore/ci-improvementsbranch before merging:Files Added
release-appkit.yaml(stub)release-walletkit.yaml(stub)release-pos.yaml(stub)Note: Merge this first, then test PR #311, then merge PR #311 which will replace these stubs.