Adding action to mirror repo#27
Conversation
…aitpatel/DockSec into adding-action-to-mirror-repo
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| name: Test Coverage Report | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@v4 | ||
| with: | ||
| python-version: '3.12' | ||
|
|
||
| - name: Install dependencies | ||
| run: | | ||
| python -m pip install --upgrade pip | ||
| pip install pytest pytest-cov | ||
| if [ -f requirements.txt ]; then pip install -r requirements.txt; fi | ||
|
|
||
| - name: Install package | ||
| run: | | ||
| pip install -e . | ||
|
|
||
| - name: Run tests with coverage | ||
| run: | | ||
| pytest tests/ --cov=. --cov-report=xml --cov-report=html --cov-report=term-missing || echo "Tests completed with coverage" | ||
| continue-on-error: true | ||
|
|
||
| - name: Upload coverage to Codecov | ||
| uses: codecov/codecov-action@v4 | ||
| with: | ||
| file: ./coverage.xml | ||
| flags: unittests | ||
| name: codecov-docksec | ||
| fail_ci_if_error: false | ||
| env: | ||
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | ||
|
|
||
| - name: Upload coverage reports as artifact | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: coverage-reports | ||
| path: | | ||
| coverage.xml | ||
| htmlcov/ | ||
| if-no-files-found: ignore | ||
|
|
||
| - name: Generate Coverage Summary | ||
| run: | | ||
| echo "## Coverage Report" >> $GITHUB_STEP_SUMMARY | ||
| echo "" >> $GITHUB_STEP_SUMMARY | ||
| if [ -f coverage.xml ]; then | ||
| echo "Coverage report generated successfully!" >> $GITHUB_STEP_SUMMARY | ||
| echo "" >> $GITHUB_STEP_SUMMARY | ||
| echo "📊 View detailed HTML report in artifacts" >> $GITHUB_STEP_SUMMARY | ||
| echo "" >> $GITHUB_STEP_SUMMARY | ||
| # Extract coverage percentage if available | ||
| if command -v coverage &> /dev/null; then | ||
| echo "### Coverage Details:" >> $GITHUB_STEP_SUMMARY | ||
| coverage report --format=markdown >> $GITHUB_STEP_SUMMARY 2>/dev/null || echo "Run completed" >> $GITHUB_STEP_SUMMARY | ||
| fi | ||
| else | ||
| echo "⚠️ No coverage data generated" >> $GITHUB_STEP_SUMMARY | ||
| fi | ||
|
|
||
| - name: Coverage Badge | ||
| run: | | ||
| echo "Add this badge to your README.md:" | ||
| echo "[](https://codecov.io/gh/advaitpatel/DockSec)" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
Generally, the fix is to explicitly declare permissions for the workflow or job to follow the principle of least privilege, instead of relying on the repository’s default GITHUB_TOKEN permissions. For this coverage workflow, the minimal starting point is contents: read, which is sufficient for checking out and reading the repository. None of the steps need to push commits or modify repo metadata. Codecov’s action may need contents: read to read commit metadata, but not write access.
The best fix without changing functionality is to add a top-level permissions block right after the name: (or before jobs:) in .github/workflows/coverage.yml. This block will apply to all jobs in the workflow (there is only one, coverage). We will set permissions: contents: read, which aligns with the suggestion from CodeQL and GitHub’s guidance. No other code changes, imports, or job-step changes are required.
Concretely, in .github/workflows/coverage.yml, insert:
permissions:
contents: readbetween line 2 and line 3. This restricts GITHUB_TOKEN to read-only repository contents for this workflow, resolving the CodeQL finding while preserving existing behavior.
| @@ -1,5 +1,8 @@ | ||
| name: Code Coverage | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: [ main ] |
2 participants
Pull Request
📝 Description
Please include a summary of the changes and the related issue. Include relevant motivation and context.
Fixes # (issue)
🎯 Type of Change
Please delete options that are not relevant:
🧪 How Has This Been Tested?
Please describe the tests that you ran to verify your changes:
Test Configuration:
📋 Checklist
📸 Screenshots (if applicable)
Add screenshots to help explain your changes.
🔗 Related Issues/PRs
Link any related issues or pull requests:
📚 Additional Notes
Any additional information that reviewers should know.
By submitting this pull request, I confirm that my contribution is made under the terms of the MIT license.