Conversation
- Update Dockerfile CMD to `facet serve`, add EXPOSE 3000 - Add chart/ with deployment, service, health probes - Add ct.yaml and helm-test.yml workflow (lint + kind install)
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
ct install detects no chart changes on new charts. Switch to helm install with --wait, then verify /healthz and /render endpoints.
| name: Lint | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - uses: azure/setup-helm@v4 | ||
|
|
||
| - name: Lint chart | ||
| run: helm lint chart/ | ||
|
|
||
| e2e: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
In general, the fix is to add an explicit permissions block to restrict the GITHUB_TOKEN to the least privileges necessary. Since this workflow only checks out the repository and runs Helm/Kind/Docker/kubectl commands, it only needs read access to repository contents. The safest, minimal change is to define permissions: contents: read at the workflow root so it applies to all jobs (lint and e2e).
Concretely, in .github/workflows/helm-test.yml, add a permissions section near the top-level (e.g., after the on: block). This will not alter existing steps’ behavior because actions/checkout@v4 works with contents: read. No imports or additional methods are required since this is a YAML configuration change only.
| @@ -16,6 +16,9 @@ | ||
| - "Dockerfile" | ||
| - ".github/workflows/helm-test.yml" | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| lint: | ||
| name: Lint |
| name: Install on Kind | ||
| runs-on: ubuntu-latest | ||
| needs: lint | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - uses: azure/setup-helm@v4 | ||
|
|
||
| - uses: helm/kind-action@v1 | ||
| with: | ||
| cluster_name: ct | ||
|
|
||
| - name: Build and load image into Kind | ||
| run: | | ||
| docker build -t ghcr.io/flanksource/facet:test . | ||
| kind load docker-image ghcr.io/flanksource/facet:test --name ct | ||
|
|
||
| - name: Install chart | ||
| run: | | ||
| helm install facet chart/ \ | ||
| --set image.tag=test \ | ||
| --set image.pullPolicy=Never \ | ||
| --set facet.templatesDir=/app/examples \ | ||
| --wait --timeout 120s | ||
|
|
||
| - name: Verify healthz | ||
| run: | | ||
| kubectl port-forward svc/facet 3000:3000 & | ||
| sleep 3 | ||
| curl -sf http://localhost:3000/healthz | tee /dev/stderr | grep -q '"status":"ok"' | ||
|
|
||
| - name: Verify render endpoint | ||
| run: | | ||
| curl -sf -X POST http://localhost:3000/render \ | ||
| -H 'Content-Type: application/json' \ | ||
| -d '{"template":"SimpleReport","format":"html","data":{"title":"CI Test","sections":[]}}' \ | ||
| -o /tmp/render-output.html | ||
| SIZE=$(stat -c%s /tmp/render-output.html) | ||
| echo "Rendered HTML size: ${SIZE} bytes" | ||
| if [ "$SIZE" -lt 100 ]; then | ||
| echo "ERROR: rendered output too small" | ||
| exit 1 | ||
| fi | ||
| echo "Render test passed" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
In general, the fix is to add an explicit permissions block either at the top level of the workflow (applying to all jobs) or per job, granting only the minimal scopes required. Since this workflow only checks out code and runs Helm/Kind/docker/kubectl/curl locally, it should be safe to restrict GITHUB_TOKEN to read-only access to repository contents.
The best minimal fix without changing existing functionality is to add a root-level permissions block, just below the name: declaration (and before on:), setting contents: read. This will apply to both lint and e2e jobs, and none of the current steps rely on higher privileges. No imports or additional methods are needed; this is a pure YAML configuration change in .github/workflows/helm-test.yml.
Concretely, modify .github/workflows/helm-test.yml around line 1–4 to insert:
permissions:
contents: readso that the workflow explicitly limits GITHUB_TOKEN to read-only access to repository contents.
| @@ -1,5 +1,8 @@ | ||
| name: Helm Chart Test | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: [main] |
Use post-render DOM injection to clone the first .datasheet-header and .datasheet-footer as position:fixed elements, then hide the originals. Chromium's print renderer repeats fixed elements on every page. Negative top/bottom offsets place them in the margin area so content doesn't overlap.
- Add request parsing for multipart, JSON, and gzip payloads - Add route handlers for PDF generation and preview - Add S3 upload support for generated artifacts - Add worker pool for concurrent PDF generation - Add template resolution and archive extraction - Add config, auth, and error handling modules - Refactor preview server into modular structure
1 participant
Summary
facet serve, add EXPOSE 3000 and/templatesdirchart/) with deployment, service, healthz probesct.yamlandhelm-test.ymlworkflow (lint + kind install e2e)Test plan
helm lint chart/passes locallyct installsucceeds