GitHub config dependency upgrades#1415
Conversation
prasadtalasila
added
documentation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## feature/distributed-demo #1415 +/- ##
============================================================
+ Coverage 92.74% 95.51% +2.77%
============================================================
Files 5 146 +141
Lines 248 4058 +3810
Branches 0 608 +608
============================================================
+ Hits 230 3876 +3646
- Misses 18 179 +161
- Partials 0 3 +3
... and 140 files with indirect coverage changes
🚀 New features to boost your workflow:
|
|
There was a problem hiding this comment.
Pull request overview
This pull request focuses on improving GitHub Actions workflows, updating dependencies, and adding GitHub Copilot agent configurations. The changes include syntax fixes for GitHub Actions, environment variable naming standardization, dependency version bumps, and new Copilot agent configuration files.
Key changes:
- Fixed GitHub Actions workflow syntax issues and improved YAML formatting
- Updated multiple dependencies to newer versions (TypeScript ESLint, Playwright, SWC, webpack, etc.)
- Standardized environment variable naming from lowercase to uppercase in Docker Compose
- Added GitHub Copilot custom agent configuration files for various development modes
- Improved issue template formatting with proper markdown heading hierarchy
Reviewed changes
Copilot reviewed 24 out of 28 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
servers/lib/yarn.lock |
Updated dependencies: @apollo/client 4.0.10→4.0.11, @types/node 25.0.2→25.0.3, @typescript-eslint packages 8.49.0→8.50.0, eslint-plugin-jest 29.4.0→29.5.0, isomorphic-git 1.36.0→1.36.1 |
servers/lib/package.json |
Version bump from 0.5.6 to 0.5.7 |
servers/execution/runner/yarn.lock |
Updated dependencies: @swc/core 1.15.4→1.15.7, @types/node 25.0.1→25.0.3, @typescript-eslint parser 8.49.0→8.50.0, eslint-plugin-jest 29.3.0→29.5.0, webpack 5.103.0→5.104.1 |
servers/execution/runner/src/config/commander.ts |
Version constant updated from 0.3.4 to 0.3.5 |
servers/execution/runner/package.json |
Version bump from 0.3.4 to 0.3.5 |
docker/compose.dev.yml |
Environment variable naming changed from lowercase (username1/username2) to uppercase (USERNAME1/USERNAME2) |
client/yarn.lock |
Updated dependencies: @eslint/js 9.39.1→9.39.2, @playwright/test 1.56.1→1.57.0, node-forge 1.3.1→1.3.3, playwright 1.56.1→1.57.0, ts-jest 29.4.5→29.4.6, zod 4.1.12→4.1.13 |
client/package.json |
Version bump from 0.10.1 to 0.10.2; added node-forge resolution; updated dev dependencies |
.gitignore |
Added !files/user2/ exclusion and blank line for readability |
.github/workflows/runner.yml |
Fixed job naming (get_version→get-version), improved shell syntax, added packages:write permission, improved conditional formatting |
.github/workflows/python-cli.yml |
Added version comments for actions, increased artifact retention from 1 to 3 days |
.github/workflows/publish-npm.yml |
Fixed YAML indentation for workflow_call inputs and secrets |
.github/workflows/lib-ms.yml |
Removed top-level permissions, improved job naming consistency, added packages:write to NPM publish job |
.github/workflows/docs.yml |
Removed blank line, added job-level permissions block |
.github/workflows/docker-ghcr.yml |
Improved IMAGE_TAG quoting, reformatted multi-line tags |
.github/workflows/docker-dockerhub.yml |
Added packages:write permission, improved secret documentation formatting |
.github/workflows/client.yml |
Removed top-level permissions, improved job naming and conditional formatting |
.github/pull_request_template.md |
Improved text wrapping for better readability |
.github/agents/*.agent.md |
Added seven new GitHub Copilot agent configuration files for different development modes |
.github/README.md |
New file documenting agent sources and licensing |
.github/ISSUE_TEMPLATE/feature_request.md |
Changed heading levels from ### to ## |
.github/ISSUE_TEMPLATE/bug_report.md |
Changed heading levels from ### to ## |
| permissions: | ||
| contents: read # ✅ Required for checking out the code | ||
| contents: read # ✅ Required for checking out the code | ||
| packages: write # ✅ Required for publishing to github package registry |
There was a problem hiding this comment.
Similar to other workflows, packages: write permission is added to publish-docker-image-dockerhub job which only publishes to DockerHub. This permission is unnecessary and should be removed for security best practices.
| packages: write # ✅ Required for publishing to github package registry |
| volumes: | ||
| - ${DTAAS_DIR}/files/common:/workspace/common | ||
| - ${DTAAS_DIR}/files/${username1}:/workspace | ||
| - ${DTAAS_DIR}/files/${USERNAME1}:/workspace |
There was a problem hiding this comment.
The environment variable naming convention has been changed from lowercase with numbers (username1) to uppercase with numbers (USERNAME1). However, this change may break existing deployments if the corresponding environment variables in the deployment environment haven't been updated to match this new naming convention. Ensure that all .env files and deployment configurations use USERNAME1 and USERNAME2 instead of username1 and username2.
| permissions: | ||
| contents: read # ✅ Required for checking out the code | ||
| contents: read # ✅ Required for checking out the code | ||
| packages: write # ✅ Push to github package registry |
There was a problem hiding this comment.
The packages: write permission is added to the publish-package-npm job, but this job publishes to NPM registry (registry.npmjs.org), not GitHub Packages. The packages: write permission is unnecessary for NPM publishing and should be removed from this job. It's only needed for the publish-package-github job.
| packages: write # ✅ Push to github package registry |
| @@ -16,13 +16,10 @@ env: | |||
| HTTP_PORT: 4002 | |||
| LIBMS_CONFIG_PATH: test/libms.test.yaml | |||
|
|
|||
There was a problem hiding this comment.
The top-level permissions block has been removed from this workflow. While individual jobs have their own permissions blocks, removing the top-level permissions means jobs without explicit permissions will inherit the default permissions (which are quite broad). It's better practice to keep a restrictive top-level permissions block and explicitly grant permissions per job as needed.
| permissions: | |
| contents: read |
| permissions: | ||
| contents: read # ✅ Required for checking out the code |
There was a problem hiding this comment.
Job-level permissions block is added here which is good practice. However, verify that adding this doesn't cause issues since there's no top-level restrictive permissions block in this workflow file.
| permissions: | |
| contents: read # ✅ Required for checking out the code |
| cli/dist/*.whl | ||
| cli/dist/*.tar.gz | ||
| retention-days: 1 | ||
| retention-days: 3 |
There was a problem hiding this comment.
The change from "retention-days: 1" to "retention-days: 3" increases artifact storage duration. While this provides more time for artifact retrieval, it also increases storage costs. Ensure this aligns with the project's artifact retention policy.
| retention-days: 3 | |
| retention-days: 1 |
| publish-package-npm: | ||
| permissions: | ||
| contents: read # ✅ Required for checking out the code | ||
| packages: write # ✅ Push to github package registry |
There was a problem hiding this comment.
Similar to the runner workflow, the packages: write permission is added to the publish-package-npm job which publishes to registry.npmjs.org, not GitHub Packages. This permission should be removed as it's unnecessary and follows the principle of least privilege.
| packages: write # ✅ Push to github package registry |
| packages: write # ✅ Push to github package registry | ||
|
|
There was a problem hiding this comment.
The packages: write permission is added to the workflow and to the publish-docker-image-dockerhub job, but this job only publishes to DockerHub, not GitHub Container Registry. The packages: write permission should only be on jobs that actually interact with GitHub Packages.
| packages: write # ✅ Push to github package registry |
| contents: read # ✅ Required for checking out the code | ||
| if: | | ||
| contents: read # ✅ Required for checking out the code | ||
| packages: write # ✅ Required for publishing to github package registry |
There was a problem hiding this comment.
The packages: write permission is added to publish-docker-image-dockerhub job. This job pushes to DockerHub (not GitHub Container Registry), so packages: write permission for GitHub Packages is unnecessary. Only the publish-docker-image-ghcr job needs this permission.
| packages: write # ✅ Required for publishing to github package registry |
| @@ -11,15 +11,12 @@ on: | |||
| - '.github/workflows/client.yml' | |||
| workflow_dispatch: | |||
|
|
|||
There was a problem hiding this comment.
The top-level permissions block has been removed from this workflow. Similar to other workflows, this means jobs inherit default permissions. Consider adding a restrictive top-level permissions block with individual jobs explicitly requesting needed permissions.
| permissions: | |
| contents: read |
prasadtalasila
merged commit 1b1bcc1
into
INTO-CPS-Association:feature/distributed-demo
github-project-automation
Bot
moved this from In progress
to Done
in Digital Twin as a Service
- Updates nodejs versions in dockerfiles - Updates npm dependencies of runner and lib microservices Document Capabilities, Concurrent Execution and Settings Improve Github Actions (INTO-CPS-Association#1411) - Adds permissions to all GitHub Actions - Pins all GitHub Actions to specific commit hashes with version tags for security - Adds granular permission scopes at both workflow and job levels - Updates runner NPM publishing to publish at npmjs registry GitHub config dependency upgrades (INTO-CPS-Association#1415) - Fixes GitHub Actions workflows - New agent configuration files in .github/agents/ - Adds npm publish step to runner workflow - Environment variable naming changes in docker/compose.dev.yml Fixes workflow errors and package dependencies (INTO-CPS-Association#1418) - Fixes mistakes in runner.yml workflow - Updates npm packages of libms Add summary table Adds new markdown docs to mkdocs webpage index Adds new markdown docs to mkdocs webpage index Updates docs based on release-v0.7 docs Updates figures in the docs Fix names and file paths in the docs Fix URLs in the docs Fix clone instructions in the docs Adds python script to prepare docs for release Fixes quality issues in python script and mkdocs config [WIP] gitlab integration docs updated Revises documentation Fixes qlty issues in documentation Fixes qlty issues in python script Fixes qlty issues and adds python script to format tables Fixes qlty issues and adds qlty config Adds new developer documentation Adds new admin guide Formats long commands Edits docs into impersonal and academic style Resolve merge conflicts Improves wording in docs Formats tables in docs Fixes description in some docs Adds DevOps docs Updates platform service versions
Copilot Config and Dependency Upgrades
Type of Change
Description
The existing GitHub actions have syntax errors leading to workflow run failures. This issue has been fixed.
The GitHub copilot can use custom agents for projects. These agents have been added to the project. In addition, the package and security patches recommended in dependabot pull requests have been added.
In addition, npm publish job has been added in runner workflow.
Testing
Tests have been performed on GitHub Actions and manual testing has been performed for the Client website.
Impact
Better GitHub Actions and copilot settings.
Checklist
existing code.