Skip to content

chore(ci): internalize reusable workflows from gha-workflows#88

Merged
matt-codecov merged 1 commit intomainfrom
branchless/pr88
Apr 30, 2025
Merged

chore(ci): internalize reusable workflows from gha-workflows#88
matt-codecov merged 1 commit intomainfrom
branchless/pr88

Conversation

@matt-codecov
Copy link
Contributor

@matt-codecov matt-codecov commented Apr 30, 2025
edited
Loading

this PR copies the reusable workflows we use 100% unchanged to umbrella. reusable workflows start with _ by convention.

being in a monorepo has already required some divergence and complexity, and as we embrace the monorepo more, even more junk will have to be added to retain interoperability with other repos. also, merging into gha-workflows, cutting a release, and updating a tag in umbrella is a big pain (that's why we went for a monorepo to begin with). giving umbrella its own copies of these workflows which we can customize will help us declutter and move fast

second in a series of related CI changes. i am testing my personal build of git-branchless with stacked PR support, please humor me

Stack info:
Stack 1

This was referenced Apr 30, 2025
Merged
Merged
Merged
@seer-by-sentry
Copy link
Contributor

seer-by-sentry bot commented Apr 30, 2025

✅ Sentry found no issues in your recent changes ✅

@codecov
Copy link

codecov bot commented Apr 30, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 94.25%. Comparing base (6aaad25) to head (f067294).
Report is 2 commits behind head on main.

✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main      #88   +/-   ##
=======================================
  Coverage   94.25%   94.25%           
=======================================
  Files        1210     1210           
  Lines       45688    45688           
  Branches     1449     1449           
=======================================
  Hits        43065    43065           
  Misses       2317     2317           
  Partials      306      306
Flag Coverage Δ
apiunit 96.41% <ø> (ø)
shared-docker-uploader 88.82% <ø> (ø)
workerintegration 61.19% <ø> (ø)
workerunit 91.33% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@codecov-notifications
Copy link

codecov-notifications bot commented Apr 30, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

@codspeed-hq
Copy link

codspeed-hq bot commented Apr 30, 2025
edited
Loading

CodSpeed Performance Report

Merging #88 will not alter performance

Comparing branchless/pr88 (f067294) with main (6aaad25)

Summary

✅ 9 untouched benchmarks

@matt-codecov matt-codecov requested review from a team April 30, 2025 00:23
@Swatinem Swatinem mentioned this pull request Apr 30, 2025
Merged
Base automatically changed from branchless/pr87 to main April 30, 2025 17:03
@matt-codecov matt-codecov mentioned this pull request Apr 30, 2025
Merged
@matt-codecov matt-codecov enabled auto-merge April 30, 2025 18:36
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 30, 2025
View reviewed changes
.github/workflows/_build-app.yml
Comment on lines +30 to +93
name: Build App
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 2
submodules: 'recursive'
- id: "auth"
if: ${{ !github.event.pull_request.head.repo.fork && github.repository_owner == 'codecov' }}
name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v2.1.2"
with:
token_format: "access_token"
workload_identity_provider: ${{ secrets.CODECOV_GCP_WIDP }}
service_account: ${{ secrets.CODECOV_GCP_WIDSA }}

- name: Docker configuration
if: ${{ !github.event.pull_request.head.repo.fork && github.repository_owner == 'codecov' }}
run: |-
echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://us-docker.pkg.dev

- name: Cache Requirements
id: cache-requirements
if: inputs.cache_requirements
uses: actions/cache@v4
env:
cache-name: ${{ inputs.repo }}-requirements
with:
path: |
${{ inputs.output_directory }}/requirements.tar
key: ${{ runner.os }}-${{ env.cache-name }}-${{ inputs.reqs_cache_key || format('{0}-{1}', hashFiles(format('{0}/**/{1}', inputs.output_directory, inputs.cache_file)), hashFiles(format('{0}/**/docker/Dockerfile.requirements', inputs.output_directory))) }}
restore-keys: |
${{ runner.os }}-${{ env.cache-name }}-

- name: Cache App
id: cache-app
uses: actions/cache@v4
env:
cache-name: ${{ inputs.repo }}-app
with:
path: |
${{ inputs.output_directory }}/app.tar
key: ${{ runner.os }}-${{ env.cache-name }}-${{ github.run_id }}

- name: Load requirements from cache
if: ${{ steps.cache-requirements.outputs.cache-hit == 'true' && inputs.cache_requirements }}
run: |
make ${{ inputs.make_target_prefix }}load.requirements

- name: Build/pull requirements
if: ${{ steps.cache-requirements.outputs.cache-hit != 'true' && inputs.cache_requirements }}
run: |
make ${{ inputs.make_target_prefix }}build.requirements
make ${{ inputs.make_target_prefix }}save.requirements

- name: Push Requirements
if: ${{ steps.cache-requirements.outputs.cache-hit != 'true' && !github.event.pull_request.head.repo.fork && github.repository_owner == 'codecov' && inputs.cache_requirements }}
run: |
make ${{ inputs.make_target_prefix }}push.requirements
- name: Build app
run: |
make ${{ inputs.make_target_prefix }}build.app
make ${{ inputs.make_target_prefix }}save.app

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 10 months ago

To fix the issue, we will add a permissions block at the workflow level to explicitly define the least privileges required. Based on the workflow's operations, the minimal permissions needed are contents: read for accessing repository contents. If additional permissions are required for specific steps, they can be added at the job level. This ensures that the workflow adheres to the principle of least privilege.

Suggested changeset 1
.github/workflows/_build-app.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/_build-app.yml b/.github/workflows/_build-app.yml
--- a/.github/workflows/_build-app.yml
+++ b/.github/workflows/_build-app.yml
@@ -2,2 +2,5 @@
 
+permissions:
+  contents: read
+
 on:
EOF
@@ -2,2 +2,5 @@

permissions:
contents: read

on:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/_create-release-pr.yml
Comment on lines +13 to +53
name: Create PR
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: 'recursive'

- name: Import GPG key
id: import-gpg
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.RELEASER_GPG_PRIVATE_KEY }}
git_user_signingkey: true
git_commit_gpgsign: true
git_config_global: true

- name: Create release branch
run: git checkout -b release/${{ github.event.inputs.versionName }}
- name: Update version file
id: make-commit
run: |
echo ${{ github.event.inputs.versionName }} > VERSION
echo -n $(tr -d '\n' < VERSION) > VERSION
git add VERSION
git commit -S --message "Prepare release ${{ github.event.inputs.versionName }}"
echo "commit=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"

- name: Push release branch
run: git push origin release/${{ github.event.inputs.versionName }}
- name: Create pull request into main
uses: thomaseizinger/create-pull-request@1.3.1
with:
github_token: ${{ secrets.GH_RELEASE_TOKEN }}
head: release/${{ github.event.inputs.versionName }}
base: ${{ inputs.mainBranch }}
title: Release ${{ github.event.inputs.versionName }}
reviewers: ${{ github.event.issue.user.login }}
body: |
Release PR for ${{ github.event.inputs.versionName }}
I've updated the version name and committed: ${{ steps.make-commit.outputs.commit }}.

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 10 months ago

To fix the issue, we will add a permissions block at the root of the workflow to explicitly define the required permissions. Based on the workflow's actions, the following permissions are needed:

  • contents: write for pushing the release branch.
  • pull-requests: write for creating the pull request.

This ensures that the workflow has only the permissions it needs to function correctly, reducing the risk of unintended actions.

Suggested changeset 1
.github/workflows/_create-release-pr.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/_create-release-pr.yml b/.github/workflows/_create-release-pr.yml
--- a/.github/workflows/_create-release-pr.yml
+++ b/.github/workflows/_create-release-pr.yml
@@ -2,2 +2,6 @@
 
+permissions:
+  contents: write
+  pull-requests: write
+
 on:
EOF
@@ -2,2 +2,6 @@

permissions:
contents: write
pull-requests: write

on:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/_create-release.yml
Comment on lines +13 to +28
name: Create Github Release
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4

- id: get-release-vars
name: Configure Release Vars
run: |
echo "release_version=$(cat VERSION)" >> "$GITHUB_OUTPUT"

- name: Create GitHub Release
env:
GITHUB_TOKEN: ${{ secrets.CODECOV_RELEASE_PAT }}
run: |
gh release create ${{ inputs.tag_to_prepend }}${{ steps.get-release-vars.outputs.release_version }} --title "Release ${{ steps.get-release-vars.outputs.release_version }}" --notes "Autogenerated for ${{ steps.get-release-vars.outputs.release_version }}. Created for ${{ github.event.pull_request.html_url }}" --generate-notes

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 10 months ago

To fix the issue, we will add a permissions block at the workflow level to explicitly define the minimal permissions required. Since the workflow creates a GitHub release, it needs contents: write permissions. No other permissions are required, so we will restrict the scope to just this permission. The permissions block will be added at the root level of the workflow, ensuring it applies to all jobs.

Suggested changeset 1
.github/workflows/_create-release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/_create-release.yml b/.github/workflows/_create-release.yml
--- a/.github/workflows/_create-release.yml
+++ b/.github/workflows/_create-release.yml
@@ -10,2 +10,4 @@
         description: 'Tag prepend value. Ex: self-hosted-'
+permissions:
+  contents: write
 jobs:
EOF
@@ -10,2 +10,4 @@
description: 'Tag prepend value. Ex: self-hosted-'
permissions:
contents: write
jobs:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/_lint.yml
Comment on lines +12 to +19
name: Run Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install dependencies
run: make ${{ inputs.make_target_prefix }}lint.install
- name: Check
run: make ${{ inputs.make_target_prefix }}lint.check

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 10 months ago

To fix the issue, we will add a permissions block at the root level of the workflow. Since this is a linting job, it only needs read access to the repository contents. We will set contents: read as the minimal required permission. This change ensures that the workflow adheres to the principle of least privilege and avoids unnecessary write permissions.

Suggested changeset 1
.github/workflows/_lint.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/_lint.yml b/.github/workflows/_lint.yml
--- a/.github/workflows/_lint.yml
+++ b/.github/workflows/_lint.yml
@@ -2,2 +2,5 @@
 
+permissions:
+  contents: read
+
 on:
@@ -6,4 +9,4 @@
       make_target_prefix:
-        type: string
-        default: ""
+       type: string
+       default: ""
 
@@ -19,2 +22 @@
         run: make ${{ inputs.make_target_prefix }}lint.check
-
EOF
@@ -2,2 +2,5 @@

permissions:
contents: read

on:
@@ -6,4 +9,4 @@
make_target_prefix:
type: string
default: ""
type: string
default: ""

@@ -19,2 +22 @@
run: make ${{ inputs.make_target_prefix }}lint.check

Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/_push-env.yml
Comment on lines +39 to +100
name: Push ${{ inputs.environment }} Image
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
if: github.repository_owner == 'codecov' && !inputs.push_rolling && !inputs.push_release
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: 'recursive'
- name: Get Release SHA
env:
SHA: ${{ github.sha }}
id: sha
run: echo short_sha="${SHA:0:7}" >> $GITHUB_OUTPUT
- name: Cache App
id: cache-app
uses: actions/cache@v4
env:
cache-name: ${{ inputs.repo }}-app
with:
path: |
${{ inputs.output_directory }}/app.tar
key: ${{ runner.os }}-${{ env.cache-name }}-${{ github.run_id }}
- name: Load built image
run: |
docker load --input ${{ inputs.output_directory }}/app.tar
- id: "auth"
name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v2.1.2"
with:
token_format: "access_token"
workload_identity_provider: ${{ secrets.CODECOV_GCP_WIDP }}
service_account: ${{ secrets.CODECOV_GCP_WIDSA }}

- name: Docker configuration
run: |-
echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://us-docker.pkg.dev

- name: Push ${{ inputs.environment }}
run: |
make ${{ inputs.make_target_prefix }}tag.${{ inputs.environment }}
make ${{ inputs.make_target_prefix }}push.${{ inputs.environment }}
- name: Push latest
if: inputs.environment == 'production'
run: |
make ${{ inputs.make_target_prefix }}tag.latest
make ${{ inputs.make_target_prefix }}push.latest

- name: Create Sentry release
if: inputs.create_sentry_release
uses: getsentry/action-release@v1
env:
SENTRY_AUTH_TOKEN: ${{ secrets.CODECOV_SENTRY_RELEASE_TOKEN }}
SENTRY_ORG: ${{ secrets.CODECOV_SENTRY_ORG }}
SENTRY_PROJECT: ${{ inputs.sentry_project != '' && inputs.sentry_project || secrets.CODECOV_SENTRY_PROJECT }}
with:
environment: ${{ inputs.environment }}
version: ${{ inputs.environment }}-release-${{ steps.sha.outputs.short_sha }}
ignore_missing: true
output_directory: ${{ inputs.output_directory }}
rolling:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 10 months ago

To fix the issue, we will add a permissions block to the workflow. This block will specify the minimum permissions required for the workflow to function correctly. Based on the steps in the workflow, the following permissions are likely needed:

  • contents: read for accessing repository contents.
  • packages: write for pushing Docker images to a package registry.
  • id-token: write for authenticating with Google Cloud using OpenID Connect.

The permissions block will be added at the workflow level to apply to all jobs. If any job requires additional permissions, they can be specified within that job's permissions block.

Suggested changeset 1
.github/workflows/_push-env.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/_push-env.yml b/.github/workflows/_push-env.yml
--- a/.github/workflows/_push-env.yml
+++ b/.github/workflows/_push-env.yml
@@ -2,2 +2,7 @@
 
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+
 on:
EOF
@@ -2,2 +2,7 @@

permissions:
contents: read
packages: write
id-token: write

on:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/_self-hosted.yml
Comment on lines +37 to +104
name: Build Self Hosted App
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: 'recursive'

- id: "auth"
if: ${{ !github.event.pull_request.head.repo.fork && github.repository_owner == 'codecov' && inputs.cache_requirements }}
name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v2.1.2"
with:
token_format: "access_token"
workload_identity_provider: ${{ secrets.CODECOV_GCP_WIDP }}
service_account: ${{ secrets.CODECOV_GCP_WIDSA }}

- name: Docker configuration
if: ${{ !github.event.pull_request.head.repo.fork && github.repository_owner == 'codecov' && inputs.cache_requirements }}
run: |-
echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://us-docker.pkg.dev

- name: Cache Requirements
id: cache-requirements
if: inputs.cache_requirements
uses: actions/cache@v4
env:
cache-name: ${{ inputs.repo }}-requirements
with:
path: |
${{ inputs.output_directory }}/requirements.tar
key: ${{ runner.os }}-${{ env.cache-name }}-${{ inputs.reqs_cache_key || format('{0}-{1}', hashFiles(format('{0}/**/{1}', inputs.output_directory, inputs.cache_file)), hashFiles(format('{0}/**/docker/Dockerfile.requirements', inputs.output_directory))) }}
restore-keys: |
${{ runner.os }}-${{ env.cache-name }}-

- name: Cache Self hosted
id: cache-self-hosted
uses: actions/cache@v4
env:
cache-name: ${{ inputs.repo }}-self-hosted
with:
path: |
${{ inputs.output_directory }}/self-hosted-runtime.tar
${{ inputs.output_directory }}/self-hosted.tar
key: ${{ runner.os }}-${{ env.cache-name }}-${{ github.run_id }}

- name: Load requirements from cache
if: ${{ steps.cache-requirements.outputs.cache-hit == 'true' && inputs.cache_requirements }}
run: |
make ${{ inputs.make_target_prefix }}load.requirements

- name: Build/pull requirements
if: ${{ steps.cache-requirements.outputs.cache-hit != 'true' && inputs.cache_requirements }}
run: |
make ${{ inputs.make_target_prefix }}build.requirements

- name: Load built image
if: ${{ steps.cache-self-hosted.outputs.cache-hit == 'true' }}
run: |
make ${{ inputs.make_target_prefix }}load.self-hosted

- name: Build self hosted
if: ${{ steps.cache-self-hosted.outputs.cache-hit != 'true' }}
run: |
make ${{ inputs.make_target_prefix }}build.self-hosted
make ${{ inputs.make_target_prefix }}save.self-hosted

self-hosted:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 10 months ago

To fix the issue, we will add a permissions block to the workflow. This block will define the minimal permissions required for the workflow to function correctly. Based on the actions used in the workflow, the following permissions are likely needed:

  • contents: read for accessing repository contents.
  • packages: write for Docker-related operations such as pushing images.
  • id-token: write for Google Cloud authentication.

The permissions block will be added at the workflow level to apply to all jobs. If any job requires additional or fewer permissions, a job-specific permissions block can be added.

Suggested changeset 1
.github/workflows/_self-hosted.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/_self-hosted.yml b/.github/workflows/_self-hosted.yml
--- a/.github/workflows/_self-hosted.yml
+++ b/.github/workflows/_self-hosted.yml
@@ -1,2 +1,6 @@
 name: Self Hosted Build and Release
+permissions:
+  contents: read
+  packages: write
+  id-token: write
 on:
EOF
@@ -1,2 +1,6 @@
name: Self Hosted Build and Release
permissions:
contents: read
packages: write
id-token: write
on:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/_self-hosted.yml
Comment on lines +105 to +138
name: Push Self Hosted Image
needs: [build-self-hosted]
if: inputs.push_rolling == true && github.repository_owner == 'codecov' && !github.event.pull_request.head.repo.fork
runs-on: ubuntu-latest
environment: self-hosted
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: 'recursive'
- name: Cache Self hosted
id: cache-self-hosted
uses: actions/cache@v4
env:
cache-name: ${{ inputs.repo }}-self-hosted
with:
path: |
${{ inputs.output_directory }}/self-hosted-runtime.tar
${{ inputs.output_directory }}/self-hosted.tar
key: ${{ runner.os }}-${{ env.cache-name }}-${{ github.run_id }}
- name: Load built image
run: |
make ${{ inputs.make_target_prefix }}load.self-hosted
- name: Log in to Docker Hub
uses: docker/login-action@v3.1.0
with:
username: ${{ secrets.CODECOV_DEVOPS_DOCKER_USERNAME }}
password: ${{ secrets.CODECOV_DEVOPS_DOCKER_PASSWORD }}
- name: Push Self Hosted Rolling
run: |
make ${{ inputs.make_target_prefix }}tag.self-hosted-rolling
make ${{ inputs.make_target_prefix }}push.self-hosted-rolling
self-hosted-release:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 10 months ago

To fix the issue, we will add a permissions block to the self-hosted job. Since this job primarily involves checking out the repository and pushing Docker images, the minimal required permissions are contents: read. This ensures that the GITHUB_TOKEN is restricted to read-only access to the repository contents, preventing any unintended write operations.

Suggested changeset 1
.github/workflows/_self-hosted.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/_self-hosted.yml b/.github/workflows/_self-hosted.yml
--- a/.github/workflows/_self-hosted.yml
+++ b/.github/workflows/_self-hosted.yml
@@ -109,2 +109,4 @@
     environment: self-hosted
+    permissions:
+      contents: read
     steps:
@@ -143,2 +145,4 @@
     environment: self-hosted
+    permissions:
+      contents: read
     steps:
EOF
@@ -109,2 +109,4 @@
environment: self-hosted
permissions:
contents: read
steps:
@@ -143,2 +145,4 @@
environment: self-hosted
permissions:
contents: read
steps:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/_self-hosted.yml
Comment on lines +139 to +171
name: Push Self Hosted Release Image
needs: [build-self-hosted]
if: inputs.push_release == true && github.repository_owner == 'codecov' && !github.event.pull_request.head.repo.fork
runs-on: ubuntu-latest
environment: self-hosted
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: 'recursive'
- name: Cache Self hosted
id: cache-self-hosted
uses: actions/cache@v4
env:
cache-name: ${{ inputs.repo }}-self-hosted
with:
path: |
${{ inputs.output_directory }}/self-hosted-runtime.tar
${{ inputs.output_directory }}/self-hosted.tar
key: ${{ runner.os }}-${{ env.cache-name }}-${{ github.run_id }}
- name: Load built image
run: |
make ${{ inputs.make_target_prefix }}load.self-hosted
- name: Log in to Docker Hub
uses: docker/login-action@v3.1.0
with:
username: ${{ secrets.CODECOV_DEVOPS_DOCKER_USERNAME }}
password: ${{ secrets.CODECOV_DEVOPS_DOCKER_PASSWORD }}
- name: Push self hosted release
run: |
make ${{ inputs.make_target_prefix }}tag.self-hosted-release
make ${{ inputs.make_target_prefix }}push.self-hosted-release

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 10 months ago

To fix the issue, we will add a permissions block to the self-hosted-release job. This block will explicitly define the minimal permissions required for the job to function. Based on the job's actions, it primarily needs contents: read to check out the repository and packages: write to interact with Docker Hub. No other permissions are necessary.

The permissions block will be added directly under the self-hosted-release job definition to scope it specifically to this job.

Suggested changeset 1
.github/workflows/_self-hosted.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/_self-hosted.yml b/.github/workflows/_self-hosted.yml
--- a/.github/workflows/_self-hosted.yml
+++ b/.github/workflows/_self-hosted.yml
@@ -143,2 +143,5 @@
     environment: self-hosted
+    permissions:
+      contents: read
+      packages: write
     steps:
EOF
@@ -143,2 +143,5 @@
environment: self-hosted
permissions:
contents: read
packages: write
steps:
Copilot is powered by AI and may make mistakes. Always verify output.
@matt-codecov matt-codecov added this pull request to the merge queue Apr 30, 2025
Merged via the queue into main with commit 367a68f Apr 30, 2025
74 of 76 checks passed
@matt-codecov matt-codecov deleted the branchless/pr88 branch April 30, 2025 18:49
@matt-codecov matt-codecov mentioned this pull request Apr 30, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Swatinem Swatinem Swatinem approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matt-codecov @Swatinem

Comments