Conversation
* feat: create auco cli * chore: update lockfile * feat: restructure to monorepo * feat: reset dev mode * chore: remove yarn lock * chore: fix lockfile * feat: CI release --------- Co-authored-by: Rick <rsulisthio@gmail.com> Co-authored-by: Richard (Rick) <53423618+metalboyrick@users.noreply.github.com>
* feat: update starknet js to 9.3.0 * chore: update package json * chore: adhere to monorepo format * chore: delete yarn lock
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if: github.event.pull_request.merged == true | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| SHOULD_RUN: ${{ steps.check_commit.outputs.SHOULD_RUN }} | ||
| steps: | ||
| - name: Checkout Files | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| token: ${{ secrets.ORG_GITHUB_TOKEN }} | ||
| fetch-depth: 0 # Need full git history for logs | ||
|
|
||
| - name: check if skip ci | ||
| id: check_commit | ||
| run: | | ||
| COMMIT_MESSAGE=$(git log -1 --pretty=%B) | ||
| if [[ "$COMMIT_MESSAGE" == *"[skip ci]"* ]]; then | ||
| echo "SHOULD_RUN=false" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "SHOULD_RUN=true" >> "$GITHUB_OUTPUT" | ||
| fi | ||
|
|
||
| version-bump-create-auco: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 16 hours ago
In general, the fix is to explicitly declare a permissions: block in the workflow (either at the root or per job) that grants only the scopes required. This prevents the workflow from inheriting overly broad default token permissions and documents exactly what the workflow needs.
For this specific workflow, the version-bump-create-auco job pushes commits and tags to the main branch using git, which requires repository contents write access. Even though it uses secrets.ORG_GITHUB_TOKEN, it is still best practice to constrain the GITHUB_TOKEN as well. The check_commit job only reads commit messages and does not need write access, so read-only is sufficient there. The simplest, least-disruptive change is to add a root-level permissions: block applying to all jobs, granting contents: write (so any job that might need to write can do so) and defaulting other scopes to none. This avoids any behavior change beyond what is already implicitly allowed by the current defaults, while documenting and constraining the scope.
Concretely, edit .github/workflows/release-create-auco.yaml and insert a permissions: section just after the name: declaration and before the on: block:
name: Version Bump and Publish Create Auco
permissions:
contents: write
on:
pull_request:
...No additional methods, imports, or external definitions are needed; this is purely a YAML workflow configuration change.
| @@ -1,5 +1,8 @@ | ||
| name: Version Bump and Publish Create Auco | ||
|
|
||
| permissions: | ||
| contents: write | ||
|
|
||
| on: | ||
| pull_request: | ||
| types: [closed] |
| needs: check_commit | ||
| if: ${{ needs.check_commit.outputs.SHOULD_RUN != 'false' }} | ||
| runs-on: ubuntu-22.04 | ||
| defaults: | ||
| run: | ||
| working-directory: packages/create-auco | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| token: ${{ secrets.ORG_GITHUB_TOKEN }} | ||
| fetch-depth: 0 # Need full git history for version bumping | ||
|
|
||
| - name: Determine version bump type | ||
| id: version | ||
| run: | | ||
| commit_message=$(git log -1 --pretty=%B) | ||
| if [[ "$commit_message" == *"[major]"* ]]; then | ||
| echo "type=major" >> "$GITHUB_ENV" | ||
| elif [[ "$commit_message" == *"[minor]"* ]]; then | ||
| echo "type=minor" >> "$GITHUB_ENV" | ||
| elif [[ "$commit_message" == *"[prerelease]"* ]]; then | ||
| echo "type=prerelease --preid=rc" >> "$GITHUB_ENV" | ||
| else | ||
| echo "type=patch" >> "$GITHUB_ENV" | ||
| fi | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20' | ||
| registry-url: 'https://registry.npmjs.org/' | ||
|
|
||
| - name: Install dependencies | ||
| working-directory: . | ||
| run: npm install | ||
|
|
||
| - name: Bump version and commit (create-auco) | ||
| run: | | ||
| # Ensure we are on main and up to date | ||
| git reset --hard HEAD | ||
| git pull origin main --no-rebase --strategy=ort --no-edit | ||
|
|
||
| # Configure git user | ||
| git config --global user.name 'github-actions[bot]' | ||
| git config --global user.email 'github-actions[bot]@users.noreply.github.com' | ||
|
|
||
| # Bump version for create-auco package | ||
| new_version=$(npm version ${{ env.type }} -m "chore(release:create-auco): %s [skip ci]") | ||
| echo "NEW_VERSION=${new_version}" >> "$GITHUB_ENV" | ||
|
|
||
| # Push the version bump commit and tag | ||
| git push origin main --follow-tags | ||
|
|
||
| - name: Build create-auco | ||
| run: npm run build | ||
|
|
||
| - name: Publish create-auco to NPM | ||
| run: npm publish | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
|
|
||
| - name: Notify Slack on Success | ||
| if: success() | ||
| uses: slackapi/slack-github-action@v1.26.0 | ||
| with: | ||
| channel-id: ${{ secrets.SLACK_CHANNEL_ID }} | ||
| slack-message: '✅ Version bump & publish successful for create-auco: ${{ env.NEW_VERSION }}' | ||
| env: | ||
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | ||
|
|
||
| - name: Notify Slack on Failure | ||
| if: failure() | ||
| uses: slackapi/slack-github-action@v1.26.0 | ||
| with: | ||
| channel-id: ${{ secrets.SLACK_CHANNEL_ID }} | ||
| slack-message: '❌ Version bump or publish failed for create-auco on main: ${{ github.ref_name }}' | ||
| env: | ||
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 16 hours ago
In general, the fix is to add an explicit permissions: block to the workflow (either at the top level or per job) that grants only the minimal permissions needed. Since this workflow uses a separate personal/organization token for git pushes and relies on npm and Slack secrets for external operations, the GITHUB_TOKEN itself does not appear to require any write permissions. The safest minimal set is contents: read, which allows checkout and reading repository contents but not writing to them via GitHub APIs.
The best fix without changing functionality is to add a root-level permissions: block just under the name: (and before on:), so that it applies to both check_commit and version-bump-create-auco jobs. This will satisfy CodeQL and document the intended token scope. No new imports, methods, or other definitions are needed, as this is purely a workflow configuration change.
Concretely, in .github/workflows/release-create-auco.yaml, add:
permissions:
contents: readbetween the existing line 1 (name: ...) and line 3 (on:). No other lines need to be modified.
| @@ -1,5 +1,8 @@ | ||
| name: Version Bump and Publish Create Auco | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| types: [closed] |
2 participants
No description provided.