Merge feature-business-layer branch into main#343
Conversation
* init changesets * add changeset config, change business layer to be under connect org for now
* minimal change to base and person roles to get new layers working * add changeset
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* add eslint to root of workspace * remove eslint from nuxt config in person roles
* create shared pw and vitest configs * add changeset * fix * cleanup * fix lint ignore
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* init base layer CI * update env.example * fix * add changeset * add paths filter to changesets workflow
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* remove old checkbox group components * use address component from forms layer * use address complete from forms layer * remove unused utils/tests * update address interface * switch formfield input elements for connect * switch to connect form structure els * update css to use new vars * switch to formlayout * switch to button control from forms * switch to pay widget/store from pay layer * remove unneeded zod schemas * cleanup app config * update legal api definition * update vaults env names * add changeset
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* move business types, plugins, composables, tests, etc to business layer * fix deps * move business tombstone and filing layout to layer * cleanup i18n * update padding on layout * cleanup error modal * only fetch fees if business defined * update error modal * refactor modals * add changeset * fix lint * revert accidental change in prta directory
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* update * update
* update layer versions * refactor to use tombstone from connect base layer * move auth info fetch to business api composable, define plugin types as they arent being inferred correctly * add changeset * add test for filing tombstone composable * remove auth user state in e2e test * fix test
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* form validation e2e tests * add officer tests * edit person tests * refactor test helpers for form validation and add officer flows * refactor edit officer flow * task guard tests * task guard tests * draft filing tests * page init errors tests * remove wait for network idle * update person-roles ci * update tests to pass for CI * fix for firefox * fix flaky tests, exclude mobile * remove commented line in pw config * fix env name, add changesets * bump version * switch to config.playwright check instead of config.ci in auth middleware * fix country select handling * minor fix * increase timeout in pw setup * fix unit tests * fix lint
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* add changeset * use new auth page, cleanup playwright middleware * fix base layer e2e test * fix lint
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* refactor officer error modals * update base layer deps
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* add ff check on officers init * update vault env values * ignore ff check if e2e tests * bump version * try updating node version to fix unit tests in ci
* fix vitest coverage file path * update base layer readme, rename/organize utils, update/add tests * add changeset for base * add changesets usage docs * update officers with new util name * bump person roles version * start docs for business layer * update head/breadcrumb text
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* remove save button, update tests * update base layer with business edit config val, remove officer specific i18n labels, add company info page i18n label * update user redirect after save/submit/cancel/modal actions, either to business dashboard or edit ui * set correct default breadcrumb and header text, bcreg instead of connect * remove unnecessary pending task check on init, update/fix e2e tests * e2e test update * fix address fill in e2e * remove comment
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* Business layer - filing ledger code Signed-off-by: Kial Jinnah <kialj876@gmail.com> * Update bootstrap flow Signed-off-by: Kial Jinnah <kialj876@gmail.com> * lint fix and fixes Signed-off-by: Kial Jinnah <kialj876@gmail.com> * added in tests Signed-off-by: Kial Jinnah <kialj876@gmail.com> * Added in alerts component, some updates to ledger Signed-off-by: Kial Jinnah <kialj876@gmail.com> * Updated for PR comments Signed-off-by: Kial Jinnah <kialj876@gmail.com> * fix unit test Signed-off-by: Kial Jinnah <kialj876@gmail.com> * Pr comment updates Signed-off-by: Kial Jinnah <kialj876@gmail.com> * removed unused store function Signed-off-by: Kial Jinnah <kialj876@gmail.com> * removed unused store function Signed-off-by: Kial Jinnah <kialj876@gmail.com> * fix ci and changeset Signed-off-by: Kial Jinnah <kialj876@gmail.com> --------- Signed-off-by: Kial Jinnah <kialj876@gmail.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
… form submit (#325) * add id property to officer form schema * update version
* fix duplicate/incorrect modal displaying on filing init errors * simplify errors * remove .only from unit test * e2e test update * test update * remove unecessary if statements * cleanup parties
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* init registry home app * add root devops.env for registry home * add CICD * update app name in CD * update site name in firebase.json
* Initial code Signed-off-by: Kial Jinnah <kialj876@gmail.com> * Updates Signed-off-by: Kial Jinnah <kialj876@gmail.com> * Updated tests Signed-off-by: Kial Jinnah <kialj876@gmail.com> * Update filing watcher Signed-off-by: Kial Jinnah <kialj876@gmail.com> * Finish updating tests Signed-off-by: Kial Jinnah <kialj876@gmail.com> * updated changeset Signed-off-by: Kial Jinnah <kialj876@gmail.com> * Update to liquidators flow Signed-off-by: Kial Jinnah <kialj876@gmail.com> --------- Signed-off-by: Kial Jinnah <kialj876@gmail.com>
* init DOD app * add missing app config and test setup files
Signed-off-by: Kial Jinnah <kialj876@gmail.com>
* checkpoint * dod store * checkpoint * fix i18n for page description * unit test schemas * add missing i18n * init e2e setup - needs filing name to complete permissions and isAllowed checks * fix lint * add dissoultion types * remove unnecessary nested form for addToLedger component * dissolution enums, test fixes, breadcrumb value * remove unnecessary mocks, add fee mock, add submit test * use DissolutionType enum for filing sub types enum * create common api calls mock, add to dissolution * add new test util to receivers and liquidators, cleanup old code * revert pw config change * fix unit test * revert pnpm lock * add prepare step after pnpm install in e2e ci * add postinstall to pnpm test command * fix unit test * fix unit test * fix unit test
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
deetz99
requested review from
BrandonSharratt,
JazzarKarim,
TVWerdal,
hfekete,
kialj876,
pwei1018,
severinbeauvais and
thorwolpert
as code owners
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| uses: bcgov/bcregistry-sre/.github/workflows/frontend-cd.yaml@main | ||
| with: | ||
| target: ${{ inputs.target }} | ||
| app_name: "dissolution" | ||
| working_directory: "." | ||
| node_version: 24 | ||
| pnpm_version: 10.0.0 | ||
| secrets: | ||
| WORKLOAD_IDENTIFY_POOLS_PROVIDER: ${{ secrets.WORKLOAD_IDENTIFY_POOLS_PROVIDER }} | ||
| GCP_SERVICE_ACCOUNT: ${{ secrets.GCP_SERVICE_ACCOUNT }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
| uses: pwei1018/bcregistry-sre/.github/workflows/frontend-ci.yaml@rollback-op | ||
| with: | ||
| app_name: "dissolution" | ||
| working_directory: "./web/dissolution" | ||
| codecov_flag: "dissolution" | ||
| node_version: 24 | ||
| pnpm_version: 10.0.0 | ||
|
|
||
| e2e-tests: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix the problem, we should add a permissions: block to either the top-level of the workflow (to apply to all jobs) or to the specific job (dissolution-ui-ci). In almost all cases, it's clearest and safest to add a restrictive top-level permission (e.g., contents: read). Then, if any job needs write or broader permissions, individual jobs can override the default. Given that most CI/CD jobs only require contents: read, this is the most secure and future-proof approach. For this code, add after the name: and before the on: section a permissions: block:
permissions:
contents: readThis will be inherited by all jobs in the workflow, unless they specify their own permissions.
Needed:
- Insert a
permissions:block after the first line (name: Dissolution UI CI), beforeon:. - No changes to imports, methods, or variables (as this is a YAML workflow).
- If, later, a job requires additional permissions, override in that job.
| @@ -1,4 +1,6 @@ | ||
| name: Dissolution UI CI | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: |
| runs-on: ubuntu-latest | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| project: ["dissolution"] | ||
| shardIndex: [1, 2, 3, 4 ] | ||
| shardTotal: [4] | ||
| defaults: | ||
| run: | ||
| working-directory: ./web/${{ matrix.project }} | ||
| env: | ||
| CI: true | ||
| container: | ||
| image: mcr.microsoft.com/playwright:v1.54.0-noble | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: pnpm/action-setup@v4 | ||
| with: | ||
| version: 10 | ||
| run_install: false | ||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 24 | ||
| cache: 'pnpm' | ||
| - name: Install dependencies | ||
| run: pnpm install | ||
| - name: Generate Types | ||
| run: pnpm postinstall | ||
| - name: Install Playwright browsers | ||
| run: npx playwright install --with-deps | ||
| - name: Set basic env | ||
| run: | | ||
| cp .env.example .env | ||
| - name: Run Playwright tests | ||
| run: HOME=/root pnpm test:e2e --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }} | ||
| - name: Upload blob report to GitHub Actions Artifacts | ||
| if: ${{ !cancelled() }} | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: blob-report-${{ matrix.shardIndex }} | ||
| path: web/${{ matrix.project }}/blob-report | ||
| retention-days: 1 | ||
|
|
||
| merge-reports: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix this problem, set a permissions: block at the workflow or job level to restrict the GITHUB_TOKEN to the least required privileges. The minimal permission for most read-only jobs is contents: read. This can be done either at the top level of the workflow (affecting all jobs that don’t set their own permissions), or per job. For clarity and safety, adding permissions: { contents: read } at the top/root is preferred, as none of the jobs shown need to write to the repo (just reading source and uploading/downloading artifacts, which are handled by the respective actions).
You should add the following just after the workflow name and before the on: block:
permissions:
contents: readThis change only modifies the security context and does not affect workflow functionality.
| @@ -1,4 +1,6 @@ | ||
| name: Dissolution UI CI | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: |
| if: ${{ !cancelled() }} | ||
| needs: [e2e-tests] | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| project: ["dissolution"] | ||
| defaults: | ||
| run: | ||
| working-directory: ./web/${{ matrix.project }} | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: lts/* | ||
| - name: Download blob reports from GitHub Actions Artifacts | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| path: web/${{ matrix.project }}/all-blob-reports | ||
| pattern: blob-report-* | ||
| merge-multiple: true | ||
|
|
||
| - name: Merge into HTML Report | ||
| run: npx playwright merge-reports --reporter html ./all-blob-reports | ||
|
|
||
| - name: Upload HTML report | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: html-report--attempt-${{ github.run_attempt }} | ||
| path: web/${{ matrix.project }}/playwright-report | ||
| retention-days: 2 No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix this issue, the workflow must explicitly set the permissions: key at the top level (recommended) or for each job. Since none of the shown jobs require more than basic artifact read/write, they likely only need contents: read, as CodeQL suggested. The best fix is to add the following block immediately after the workflow name: and before on: (after line 1 and before line 3):
permissions:
contents: readThis configuration ensures that all jobs (unless overridden by a job-specific permissions block) will run with the minimum privileges required for most build jobs. If future jobs require more permissions, these can be granted as needed at the job level.
No other changes (imports, definitions, etc.) are necessary for YAML workflow modifications.
| @@ -1,5 +1,8 @@ | ||
| name: Dissolution UI CI | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| paths: |
| runs-on: ubuntu-latest | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| project: ["base"] | ||
| job: ['lint', 'build', 'test:unit'] # ['lint', 'typecheck', 'build', 'test:unit'] # TODO: fix typecheck | ||
| defaults: | ||
| run: | ||
| working-directory: ./packages/layers/${{ matrix.project }} | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: pnpm/action-setup@v4 | ||
| with: | ||
| version: 10 | ||
| run_install: false | ||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 24 | ||
| cache: 'pnpm' | ||
| - name: Install dependencies | ||
| run: pnpm install | ||
| - name: Set basic env | ||
| run: | | ||
| cp .env.example .env | ||
| - name: ${{ matrix.job }} | ||
| run: pnpm ${{ matrix.job }} | ||
|
|
||
| e2e-tests: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix this issue, an explicit permissions block should be added to the workflow. This should be placed at the root of the workflow YAML (immediately after name: and before on:) so that it applies to all jobs unless a job-level override is needed. The minimal privilege sufficient for CI tasks is usually contents: read, which provides enough access for the workflow to check out code and access repository files but does not allow write or destructive operations. None of the steps shown require write access to the repository, so contents: read is an appropriate, minimal setting. If future jobs or steps require more permissions (such as for creating issues or comments), those can be scoped appropriately at the job level.
Changes to make:
- Insert a block as follows after the workflow
name::permissions: contents: read
No additional methods, imports, or external definitions are required.
| @@ -1,4 +1,6 @@ | ||
| name: Base Layer CI | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: |
| merge-reports: | ||
| if: ${{ !cancelled() }} | ||
| needs: [e2e-tests] | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| project: ["person-roles"] | ||
| defaults: | ||
| run: | ||
| working-directory: ./web/${{ matrix.project }} | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: lts/* | ||
| - name: Download blob reports from GitHub Actions Artifacts | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| path: web/${{ matrix.project }}/all-blob-reports | ||
| pattern: blob-report-* | ||
| merge-multiple: true | ||
|
|
||
| - name: Merge into HTML Report | ||
| run: npx playwright merge-reports --reporter html ./all-blob-reports | ||
|
|
||
| - name: Upload HTML report | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: html-report--attempt-${{ github.run_attempt }} | ||
| path: web/${{ matrix.project }}/playwright-report |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix the issue, add a permissions block specifying the least privileges needed. According to CodeQL and GitHub security guidelines, the minimal starting point is contents: read, which covers most CI and artifact upload workflows that do not need to write back to the repo (for example, creating releases or pushing code).
The best way to address this is to add a permissions: contents: read block at the workflow root (top-level), right after the name: and before on: so that all jobs inherit read-only permissions. If a specific job later requires more permissions, a job-level override can be used as needed. For the code snippet shown, this affects .github/workflows/person-roles-ci.yaml, and the new block should be inserted after line 1 (immediately after name: Business People UI CI), or before line 3 (on:).
No external imports or dependencies are needed.
| @@ -1,4 +1,6 @@ | ||
| name: Business People UI CI | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: |
| uses: bcgov/bcregistry-sre/.github/workflows/frontend-cd.yaml@main | ||
| with: | ||
| target: ${{ inputs.target }} | ||
| app_name: "business-registry-home" | ||
| working_directory: "." | ||
| node_version: 24 | ||
| pnpm_version: 10.0.0 | ||
| secrets: | ||
| WORKLOAD_IDENTIFY_POOLS_PROVIDER: ${{ secrets.WORKLOAD_IDENTIFY_POOLS_PROVIDER }} | ||
| GCP_SERVICE_ACCOUNT: ${{ secrets.GCP_SERVICE_ACCOUNT }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix this issue, you should add a permissions block to either the root of the workflow (making it default for all jobs) or directly to the relevant job(s). Given that this workflow only defines a single job (registry-home-ui-cd), you could add the block at either the job level or workflow level. The most conservative approach, following least-privilege, is to set permissions: {} (no permissions granted) unless you know the job needs access. If minimal read access is required (as with many "CD" deploy jobs), set permissions: read-all. If the deploy process involves, for example, updating deployments or creating releases, you must tailor this block further.
This fix will add permissions: {} at the top-level (just after name:), which means no permissions are granted to the GITHUB_TOKEN by default unless overridden in the called workflow.
| @@ -1,4 +1,5 @@ | ||
| name: Registry Home UI CD | ||
| permissions: {} | ||
|
|
||
| on: | ||
| push: |
| uses: pwei1018/bcregistry-sre/.github/workflows/frontend-ci.yaml@rollback-op | ||
| with: | ||
| app_name: "registry-home" | ||
| working_directory: "./web/registry-home" | ||
| codecov_flag: "registryhome" | ||
| node_version: 24 | ||
| pnpm_version: 10.0.0 | ||
|
|
||
| e2e-tests: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix this issue, the workflow file .github/workflows/registry-home-ci.yaml should be updated to include an explicit permissions: block. This can be set at the root of the workflow (so it applies to all jobs unless a job sets its own permissions), or for the specific job(s) in question. In this case, the best practice is to set it at the top, unless a more restrictive or broader scope is needed for specific jobs. For most CI workflows, contents: read is sufficient, unless the jobs perform GitHub API mutations such as pushing code, opening issues, or manipulating pull requests. Since the shown jobs focus on checking out code, running tests, and uploading artifacts, no write permissions are obviously needed, so contents: read is the minimal safe default.
Steps to implement:
- Add a
permissions:block at the root of the YAML file, right after thename:field, settingcontents: read.
| @@ -1,4 +1,6 @@ | ||
| name: Registry Home UI CI | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: |
| runs-on: ubuntu-latest | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| project: ["registry-home"] | ||
| shardIndex: [1, 2, 3, 4 ] | ||
| shardTotal: [4] | ||
| defaults: | ||
| run: | ||
| working-directory: ./web/${{ matrix.project }} | ||
| env: | ||
| CI: true | ||
| container: | ||
| image: mcr.microsoft.com/playwright:v1.54.0-noble | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: pnpm/action-setup@v4 | ||
| with: | ||
| version: 10 | ||
| run_install: false | ||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 24 | ||
| cache: 'pnpm' | ||
| - name: Install dependencies | ||
| run: pnpm install | ||
| - name: Install Playwright browsers | ||
| run: npx playwright install --with-deps | ||
| - name: Set basic env | ||
| run: | | ||
| cp .env.example .env | ||
| - name: Run Playwright tests | ||
| run: HOME=/root pnpm test:e2e --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }} | ||
| - name: Upload blob report to GitHub Actions Artifacts | ||
| if: ${{ !cancelled() }} | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: blob-report-${{ matrix.shardIndex }} | ||
| path: web/${{ matrix.project }}/blob-report | ||
| retention-days: 1 | ||
|
|
||
| merge-reports: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix the problem, explicitly add a permissions block to the workflow, limiting the GitHub Actions GITHUB_TOKEN to read-only access to repository contents unless more is needed. Since the highlighted job (and other jobs) only require read access to fetch and test code, and upload artifacts using built-in actions, the minimal required permission is contents: read. This can be added at the workflow root (before jobs: line 14), which will apply to all jobs, unless a particular job needs further permissions (none do here, per the given code). No additional imports or logic are needed in the YAML—this is only a metadata declaration.
| @@ -1,5 +1,8 @@ | ||
| name: Registry Home UI CI | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| paths: |
| if: ${{ !cancelled() }} | ||
| needs: [e2e-tests] | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| project: ["registry-home"] | ||
| defaults: | ||
| run: | ||
| working-directory: ./web/${{ matrix.project }} | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: lts/* | ||
| - name: Download blob reports from GitHub Actions Artifacts | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| path: web/${{ matrix.project }}/all-blob-reports | ||
| pattern: blob-report-* | ||
| merge-multiple: true | ||
|
|
||
| - name: Merge into HTML Report | ||
| run: npx playwright merge-reports --reporter html ./all-blob-reports | ||
|
|
||
| - name: Upload HTML report | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: html-report--attempt-${{ github.run_attempt }} | ||
| path: web/${{ matrix.project }}/playwright-report | ||
| retention-days: 2 No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix this problem, add an explicit permissions block at the root level of the workflow (.github/workflows/registry-home-ci.yaml) to enforce least privilege for the GITHUB_TOKEN. Since the workflow only uses actions that interact with code, artifacts, and do not appear to require write access to repository contents, the minimal recommendation is to set permissions: contents: read, ensuring only read access to repository contents. If any job requires higher permissions, job-level permissions blocks can override the root, but based on the shown jobs (installing dependencies, running tests, working with artifacts), contents: read is sufficient. The change should be inserted after the name: and before on: for root-level effect (so all jobs inherit unless overridden).
| @@ -1,4 +1,6 @@ | ||
| name: Registry Home UI CI | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: |
|
I see a code conflict and I'd like to see all the checks passing if possible. |
thorwolpert
left a comment
thorwolpert
left a comment
There was a problem hiding this comment.
Nice, maybe add an issue with followup for the permission settings.
|
@cameron-eyds @severinbeauvais @thorwolpert Sorry folks I goofed this PR, please use #344. Closing. |
5 participants
Issue #: bcgov/entity#31285
Description of changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the lear license (Apache 2.0).