chore: streamline workflows #22
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "cargo-audit" | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout sources | ||
| uses: actions/checkout@v6 | ||
|
|
||
| - name: Install Rust toolchain | ||
| uses: dtolnay/rust-toolchain@stable | ||
|
|
||
| - name: Install cargo-audit | ||
| uses: taiki-e/install-action@cargo-audit | ||
|
|
||
| - name: Run cargo audit | ||
| run: cargo audit | ||
|
|
||
| - name: Run cargo audit (JSON output) | ||
| run: cargo audit --json > audit-results.json | ||
| continue-on-error: true | ||
|
|
||
| - name: Upload audit results | ||
| uses: actions/upload-artifact@v4 | ||
| if: always() | ||
| with: | ||
| name: security-audit-results | ||
| name: cargo-audit-results | ||
| path: audit-results.json | ||
|
|
||
| dependency-review: | ||
| name: Dependency Review | ||
| vet: | ||
| name: cargo-vet | ||
| runs-on: ubuntu-latest | ||
| env: | ||
| CARGO_VET_VERSION: 0.10.1 | ||
| steps: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix the issue, set an explicit permissions block at the workflow or job level that restricts the GITHUB_TOKEN permissions to the minimum required for the workflow to function. In this case, based on the provided jobs and steps, it is sufficient to set contents: read, which allows read-only access to repository contents and disables all mutation or write access. This permissions block should be added at the root level of the workflow, ideally after the name and before env/jobs, so that all jobs inherit these restrictions unless overridden. No external imports, methods, or further configuration is required.
| @@ -1,4 +1,6 @@ | ||
| name: Security and Dependencies | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| schedule: | ||
| # Run security checks daily at 03:00 UTC |
| - uses: actions/checkout@master | ||
| - name: Install Rust | ||
| run: rustup update stable && rustup default stable | ||
| - uses: actions/cache@v4 | ||
| with: | ||
| path: ${{ runner.tool_cache }}/cargo-vet | ||
| key: cargo-vet-bin-${{ env.CARGO_VET_VERSION }} | ||
| - name: Add the tool cache directory to the search path | ||
| run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH | ||
| - name: Ensure that the tool cache is populated with the cargo-vet binary | ||
| run: cargo install --root ${{ runner.tool_cache }}/cargo-vet --version ${{ env.CARGO_VET_VERSION }} cargo-vet | ||
| - name: Invoke cargo-vet | ||
| run: cargo vet --locked | ||
|
|
||
| cargo-deny: | ||
| name: Cargo Deny | ||
| runs-on: ubuntu-latest | ||
| if: github.event_name == 'pull_request' | ||
| steps: | ||
| - name: Checkout sources |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix the problem, you should add a permissions block specifying exactly what permissions the job or workflow requires. Since none of the jobs in your workflow push changes, create or edit issues, or otherwise need to write to the repository, contents: read suffices. You can apply the permissions at the job level (for just the vet job) or at the workflow root (to cover all jobs), but in this case CodeQL specifically complains about the vet job, so we'll add the block there. To implement the fix, add a permissions: field (with at least contents: read) to the vet job configuration, just after the name or runs-on keys and before env or steps if either exists.
| @@ -42,6 +42,8 @@ | ||
|
|
||
| vet: | ||
| name: cargo-vet | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
| env: | ||
| CARGO_VET_VERSION: 0.10.1 |
.github/workflows/security.yml
Outdated
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix the problem, add an explicit permissions block to the cargo-deny job (starting at line 63). This block should assign the minimal permissions needed by the job. For this read-only analysis job, contents: read is sufficient, unless the job uploads results to PRs, issues, etc. (which it does not). The fix involves adding a permissions: key with the appropriate value (contents: read) to the cargo-deny job block in .github/workflows/security.yml, taking care to match indentation for valid YAML and GitHub Actions schema. No additional logic, steps, or imports are needed.
| @@ -62,6 +62,8 @@ | ||
|
|
||
| cargo-deny: | ||
| name: Cargo Deny | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout sources |
Welcome to Codecov 🎉Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests. ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment Thanks for integrating Codecov - We've got you covered ☂️ |
Description
Streamline workflows
Type of Change
Testing
cargo fmtandcargo clippyChecklist
Additional Notes
Any additional information, context, or screenshots about the pull request here.