port over github actions from pxt-microbit #386
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| outputs: | ||
| is_merged_pr: ${{ steps.parse-check-pr.outputs.is_merged_pr }} | ||
| pr_head_sha: ${{ steps.parse-check-pr.outputs.pr_head_sha }} | ||
| steps: | ||
| - name: Check if this commit is from a merged PR | ||
| id: check-pr | ||
| uses: actions/github-script@v7 | ||
| with: | ||
| result-encoding: string | ||
| script: | | ||
| const commitSha = context.sha; | ||
| const { data: prs } = await github.rest.repos.listPullRequestsAssociatedWithCommit({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| commit_sha: commitSha | ||
| }); | ||
|
|
||
| if (!prs.length) { | ||
| core.info('No PRs associated with this commit.'); | ||
| return JSON.stringify({ is_merged_pr: false, pr_head_sha: '' }); | ||
| } | ||
|
|
||
| const mergedPr = prs.find(pr => pr.merged_at !== null); | ||
|
|
||
| if (!mergedPr) { | ||
| core.info('PRs found, but none were merged.'); | ||
| return JSON.stringify({ is_merged_pr: false, pr_head_sha: '' }); | ||
| } | ||
|
|
||
| core.info(`Found merged PR head SHA: ${mergedPr.head.sha}`); | ||
| return JSON.stringify({ is_merged_pr: true, pr_head_sha: mergedPr.head.sha }); | ||
|
|
||
| - name: Parse outputs | ||
| id: parse-check-pr | ||
| shell: bash | ||
| run: | | ||
| echo "Parsing result: ${{ steps.check-pr.outputs.result }}" | ||
| echo "is_merged_pr=$(jq -r '.is_merged_pr' <<< '${{ steps.check-pr.outputs.result }}')" >> $GITHUB_OUTPUT | ||
| echo "pr_head_sha=$(jq -r '.pr_head_sha' <<< '${{ steps.check-pr.outputs.result }}')" >> $GITHUB_OUTPUT |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix this problem, you should explicitly define a permissions key in the workflow. This can be done at the top-level to cover all jobs, or at the job level for more granularity. In this workflow, since the jobs only need to read repository information and pull request metadata, the most restrictive appropriate permission is contents: read (and potentially pull-requests: read, but for most metadata-only workflows, contents: read suffices—however, for querying PRs, pull-requests: read is safest and recommended). The fix is to add:
permissions:
contents: read
pull-requests: readat the top of the file, after the name: line and before the on: block, or at the check-pr job level. Placing it at the workflow root is simplest and will apply to all jobs, as the example recommends.
| @@ -1,5 +1,9 @@ | ||
| name: Check if the commit is part of a merged PR | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
|
|
||
| on: | ||
| workflow_call: | ||
| outputs: |
| runs-on: ubuntu-latest | ||
| outputs: | ||
| is_vtag: ${{ steps.check-tag.outputs.is_vtag }} | ||
| tag: ${{ steps.check-tag.outputs.tag }} | ||
| steps: | ||
| - name: Inputs | ||
| run: | | ||
| echo "GITHUB_REF_TYPE=${GITHUB_REF_TYPE}" | ||
| echo "GITHUB_REF_NAME=${GITHUB_REF_NAME}" | ||
| - name: Check tag pattern | ||
| id: check-tag | ||
| run: | | ||
| if [[ "${GITHUB_REF_TYPE}" == "tag" && "${GITHUB_REF_NAME}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | ||
| echo "is_vtag=true" >> "$GITHUB_OUTPUT" | ||
| echo "tag=${GITHUB_REF_NAME}" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "is_vtag=false" >> "$GITHUB_OUTPUT" | ||
| fi | ||
| - name: Outputs | ||
| run: echo "Step output is_vtag = ${{ steps.check-tag.outputs.is_vtag }}" && echo "Step output tag = ${{ steps.check-tag.outputs.tag }}" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To address the issue, add a permissions: block to restrict the GITHUB_TOKEN to least privilege, specifically at the root of the workflow (recommended, so all jobs inherit it unless individually overridden). In this workflow, no steps interact with the repository or perform any write operations; the only activity is reading environment variables and echoing outputs, so contents: read is suitable. The fix consists of inserting a block like:
permissions:
contents: readdirectly below the workflow name: field and before on: (or anywhere before jobs:). No other changes, imports, or definitions are required.
| @@ -1,4 +1,6 @@ | ||
| name: Whether the tag is a semver tag | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_call: |
| uses: ./.github/workflows/check-if-merged-pr.yml | ||
|
|
||
| check-merge-outputs: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix this problem, add an explicit permissions: block at the root of your workflow YAML. Set the global default to contents: read for least privilege. For the job that needs to push a tag to the repository (tag-version), override the global permissions by setting permissions: contents: write for that job only. This approach minimizes exposure by limiting write rights to only where necessary. You should add the global permissions: block after the name key (line 1) and before the on key (line 3), and add a permissions: block specifically for the tag-version job.
| @@ -1,4 +1,6 @@ | ||
| name: Tag version on merged bump commit | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_call: | ||
| @@ -22,6 +24,8 @@ | ||
| echo "pr_head_sha = '${{ needs.check-merge.outputs.pr_head_sha }}'" | ||
|
|
||
| tag-version: | ||
| permissions: | ||
| contents: write | ||
| needs: check-merge | ||
| if: fromJSON(needs.check-merge.outputs.is_merged_pr || 'false') == true | ||
| runs-on: ubuntu-latest |
| needs: check-merge | ||
| runs-on: ubuntu-latest | ||
| if: always() | ||
| steps: | ||
| - name: check-merge outputs | ||
| run: | | ||
| echo "is_merged_pr = '${{ needs.check-merge.outputs.is_merged_pr }}'" | ||
| echo "pr_head_sha = '${{ needs.check-merge.outputs.pr_head_sha }}'" | ||
|
|
||
| tag-version: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
The best fix is to add an explicit permissions block to the workflow, ideally at the root level so that all jobs inherit it. Since the only job requiring write access is tag-version (for tagging and pushing a tag), most jobs could run with contents: read, while tag-version requires contents: write. If you want maximum specificity and minimum permissions, set permissions: contents: read at the root/workflow level, and override with permissions: contents: write for the tag-version job. This matches the recommendations and examples in the warning background.
Steps:
- Add at the top of the workflow:
permissions: contents: read
- Under
tag-version:, add:permissions: contents: write
No new imports or new methods are needed; this is a declarative change in the YAML configuration.
| @@ -1,5 +1,8 @@ | ||
| name: Tag version on merged bump commit | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_call: | ||
| outputs: | ||
| @@ -25,6 +28,8 @@ | ||
| needs: check-merge | ||
| if: fromJSON(needs.check-merge.outputs.is_merged_pr || 'false') == true | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| outputs: | ||
| did_tag: ${{ steps.tag-op.outputs.did_tag }} | ||
| tag: ${{ steps.tag-op.outputs.tag }} |
| needs: check-merge | ||
| if: fromJSON(needs.check-merge.outputs.is_merged_pr || 'false') == true | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| did_tag: ${{ steps.tag-op.outputs.did_tag }} | ||
| tag: ${{ steps.tag-op.outputs.tag }} | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| with: | ||
| fetch-depth: 0 | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Tag commit if it's a version bump | ||
| id: tag-op | ||
| shell: bash | ||
| run: | | ||
| set -euxo pipefail | ||
|
|
||
| COMMIT_SHA="${{ github.sha }}" | ||
| echo "==> Current merge commit SHA: $COMMIT_SHA" | ||
|
|
||
| echo "==> Fetching commit message..." | ||
| COMMIT_MSG=$(git log -1 --pretty=%s "$COMMIT_SHA") | ||
| echo "==> Commit message: '$COMMIT_MSG'" | ||
|
|
||
| TAGGED=false | ||
|
|
||
| # Check if commit matches bump pattern and PR# | ||
| if [[ "$COMMIT_MSG" =~ \[pxt-cli\]\ bump\ version\ to\ v([0-9]+\.[0-9]+\.[0-9]+)\ \(\#[0-9]+\) ]]; then | ||
| VERSION="v${BASH_REMATCH[1]}" | ||
| echo "==> Detected bump version: $VERSION" | ||
|
|
||
| # Check if tag already exists | ||
| if git rev-parse "$VERSION" >/dev/null 2>&1; then | ||
| echo "::warning::Tag $VERSION already exists — skipping tagging." | ||
| else | ||
| echo "==> Tagging $COMMIT_SHA with $VERSION" | ||
| git tag "$VERSION" "$COMMIT_SHA" | ||
| git push origin "$VERSION" | ||
| echo "tag=$VERSION" >> "$GITHUB_OUTPUT" | ||
| TAGGED=true | ||
| fi | ||
| else | ||
| echo "==> No merged bump commit detected — skipping tag creation." | ||
| fi | ||
|
|
||
| echo "==> did_tag=$TAGGED" | ||
| echo "did_tag=$TAGGED" >> "$GITHUB_OUTPUT" | ||
|
|
||
| not-tag-version: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To resolve the issue, add a permissions block to the workflow, specifying only the minimal required scopes for each job. At a minimum, the workflow requires contents: read to check out code, and specifically in the tag-version job, it also needs contents: write to create and push new tags. You should define the least required permissions at job level where escalation is needed (tag-version), otherwise use contents: read globally. This fix should be made in .github/workflows/tag-bump-commit.yml by adding permissions: contents: read at the top level, and overriding with permissions: contents: write for the tag-version job.
| @@ -1,4 +1,6 @@ | ||
| name: Tag version on merged bump commit | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_call: | ||
| @@ -25,6 +27,8 @@ | ||
| needs: check-merge | ||
| if: fromJSON(needs.check-merge.outputs.is_merged_pr || 'false') == true | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| outputs: | ||
| did_tag: ${{ steps.tag-op.outputs.did_tag }} | ||
| tag: ${{ steps.tag-op.outputs.tag }} |
| needs: check-merge | ||
| if: fromJSON(needs.check-merge.outputs.is_merged_pr || 'false') == false | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| did_tag: false | ||
| steps: | ||
| - run: echo "No tag because not a PR merge." | ||
|
|
||
| return: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
The best way to fix this problem is to add a permissions block to the workflow, either at the root (for all jobs) or per-job as needed. The tag-version job requires contents: write permission to create and push tags. Other jobs—check-merge, check-merge-outputs, not-tag-version, and return—most likely only need contents: read or none at all, depending on their operations (they mostly echo outputs, run shell commands, and use reusable workflow). To follow principle of least privilege, specify the needed permissions for each job. For maximum clarity and security, add minimal permissions per job, with broad permissions avoided wherever possible.
In detail:
- For jobs that only read workflow state and echo outputs (
not-tag-version,return,check-merge-outputs,check-merge): setpermissions: contents: read. - For
tag-version: setpermissions: contents: writesince it creates tags (write to repository contents). - Insert the
permissions:key at the correct indentation level for each job.
| @@ -9,9 +9,13 @@ | ||
|
|
||
| jobs: | ||
| check-merge: | ||
| permissions: | ||
| contents: read | ||
| uses: ./.github/workflows/check-if-merged-pr.yml | ||
|
|
||
| check-merge-outputs: | ||
| permissions: | ||
| contents: read | ||
| needs: check-merge | ||
| runs-on: ubuntu-latest | ||
| if: always() | ||
| @@ -22,6 +23,8 @@ | ||
| echo "pr_head_sha = '${{ needs.check-merge.outputs.pr_head_sha }}'" | ||
|
|
||
| tag-version: | ||
| permissions: | ||
| contents: write | ||
| needs: check-merge | ||
| if: fromJSON(needs.check-merge.outputs.is_merged_pr || 'false') == true | ||
| runs-on: ubuntu-latest | ||
| @@ -72,6 +75,8 @@ | ||
| echo "did_tag=$TAGGED" >> "$GITHUB_OUTPUT" | ||
|
|
||
| not-tag-version: | ||
| permissions: | ||
| contents: read | ||
| needs: check-merge | ||
| if: fromJSON(needs.check-merge.outputs.is_merged_pr || 'false') == false | ||
| runs-on: ubuntu-latest | ||
| @@ -81,6 +86,8 @@ | ||
| - run: echo "No tag because not a PR merge." | ||
|
|
||
| return: | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
| needs: [tag-version, not-tag-version] | ||
| if: always() |
| runs-on: ubuntu-latest | ||
| needs: [tag-version, not-tag-version] | ||
| if: always() | ||
| outputs: | ||
| did_tag: ${{ needs.tag-version.outputs.did_tag || false }} | ||
| steps: | ||
| - run: echo "Returning did_tag = ${{ needs.tag-version.outputs.did_tag || false }}" | ||
| - run: echo "Returning tag = ${{ needs.tag-version.outputs.tag || '' }}" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix the problem, add a permissions block at the root of the workflow file (.github/workflows/tag-bump-commit.yml). This block should specify the minimal permissions required for the workflow. Because there are steps that need to create and push tags (write access to contents) but do not appear to access other resources like issues or pull requests, set contents: write and consider other permissions as needed. This block must be inserted below the workflow name, before on:. If, upon future review, any jobs require additional permissions (such as pull-requests: write), adjust accordingly at the job level. For now, the single best fix is to add, after line 1, the following block:
permissions:
contents: writeOptionally, if jobs only require read access, use read, but given the workflow's need to create tags (git push), write is required.
| @@ -1,4 +1,6 @@ | ||
| name: Tag version on merged bump commit | ||
| permissions: | ||
| contents: write | ||
|
|
||
| on: | ||
| workflow_call: |
as the title says, this ports over the github actions workflows from pxt-microbit. also updates pxt-core to the version required for npm trusted publishing