Task/#796 move code coverage to its own workflow#797
Conversation
Removed code coverage steps and related comments from nightly build workflow.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "Code Coverage" | ||
| env: | ||
| ASPNETCORE_ENVIRONMENT: "Production" | ||
|
|
||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v2.3.4 | ||
|
|
||
| - name: Restore Nuget Packages | ||
| run: dotnet restore EstateManagementUI.sln --source ${{ secrets.PUBLICFEEDURL }} --source ${{ secrets.PRIVATEFEED_URL }} | ||
|
|
||
| - name: Build Code | ||
| run: dotnet build EstateManagementUI.sln --configuration Release | ||
|
|
||
| - name: Run Unit Tests | ||
| run: | | ||
| echo "ASPNETCORE_ENVIRONMENT are > ${ASPNETCORE_ENVIRONMENT}" | ||
| dotnet test EstateManagementUI.BlazorServer.Tests/EstateManagementUI.BlazorServer.Tests.csproj --settings .runsettings /p:CollectCoverage=true /p:Exclude="[xunit*]*" /p:ExcludeByAttribute="Obsolete" /p:ExcludeByAttribute="GeneratedCodeAttribute" /p:ExcludeByAttribute="ExcludeFromCodeCoverageAttribute" /p:CoverletOutput="../lcov1.info" /maxcpucount:1 /p:CoverletOutputFormat="lcov" | ||
|
|
||
| - name: Install LCOV merger | ||
| run: npm install -g lcov-result-merger | ||
|
|
||
| - name: Merge LCOV reports | ||
| run: | | ||
| mkdir -p coverage | ||
| lcov-result-merger "*.info" > lcov.info | ||
|
|
||
| - name: Upload merged coverage to Codacy | ||
| uses: codacy/codacy-coverage-reporter-action@v1 | ||
| with: | ||
| project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} | ||
| coverage-reports: ./lcov.info |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the problem, explicitly declare minimal GITHUB_TOKEN permissions for this workflow or job. Since the workflow only checks out code, builds, tests, and uploads coverage to Codacy (an external service), it only needs read access to repository contents. No repository writes (pushes, PR updates, etc.) are performed.
The best fix is to add a permissions block at the workflow root, right after name: Code Coverage, so it applies to all jobs (there is only codecoverage). Set contents: read as a minimal starting point in line with the CodeQL recommendation. No imports or additional methods are required; this is a pure YAML configuration change.
Concretely, in .github/workflows/codecoverage.yml, insert:
permissions:
contents: readbetween lines 1 and 3 (after the name line and before on:). This will ensure the GITHUB_TOKEN has only read access to repository contents during this workflow, without altering existing functionality.
| @@ -1,5 +1,8 @@ | ||
| name: Code Coverage | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| # branches to consider in the event; optional, defaults to all |
github-actions
Bot
deleted the
task/#796-move-code-coverage-to-its-own-workflow
branch
2 participants
closes #796