Task/#1045 move code coverage to its own workflow#1046
Task/#1045 move code coverage to its own workflow#1046StuartFerguson merged 2 commits intomasterfrom
Conversation
Removed code coverage steps from nightly build workflow.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "Code Coverage" | ||
| env: | ||
| ASPNETCORE_ENVIRONMENT: "Production" | ||
|
|
||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v2.3.4 | ||
|
|
||
| - name: Restore Nuget Packages | ||
| run: dotnet restore SecurityService.sln --source ${{ secrets.PUBLICFEEDURL }} --source ${{ secrets.PRIVATEFEED_URL }} | ||
|
|
||
| - name: Build Code | ||
| run: dotnet build SecurityService.sln --configuration Release | ||
|
|
||
| - name: Run Unit Tests | ||
| run: | | ||
| echo "ASPNETCORE_ENVIRONMENT are > ${ASPNETCORE_ENVIRONMENT}" | ||
| dotnet test "SecurityService.UnitTests\SecurityService.UnitTests.csproj" /p:ExcludeByFile="\SecurityService\Views\**\*.cshtml" /p:CollectCoverage=true /p:Exclude="[xunit*]*" /p:ExcludeByAttribute="Obsolete" /p:ExcludeByAttribute="GeneratedCodeAttribute" /p:ExcludeByAttribute="CompilerGeneratedAttribute" /p:ExcludeByAttribute="ExcludeFromCodeCoverageAttribute" /p:CoverletOutput="../lcov1.info" /maxcpucount:1 /p:CoverletOutputFormat="lcov" | ||
|
|
||
| - name: Install LCOV merger | ||
| run: npm install -g lcov-result-merger | ||
|
|
||
| - name: Merge LCOV reports | ||
| run: | | ||
| mkdir -p coverage | ||
| lcov-result-merger "*.info" > lcov.info | ||
|
|
||
| - name: Upload merged coverage to Codacy | ||
| uses: codacy/codacy-coverage-reporter-action@v1 | ||
| with: | ||
| project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} | ||
| coverage-reports: ./lcov.info |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To fix the problem, explicitly declare restricted GITHUB_TOKEN permissions in the workflow. The least-privilege baseline for a workflow that only checks out code and runs tests is contents: read at the workflow or job level. No steps in the shown job require write access to the repo, so we can safely limit permissions to read-only.
The best fix without changing existing functionality is to add a permissions: block under the jobs: root (so it applies to this and any future jobs) or directly under the build: job. Since there is currently only one job, either is fine; adding at the job level makes the change tightly scoped. Concretely, in .github/workflows/codecoverage.yml, add:
permissions:
contents: readjust under build: (and before name:) with correct indentation. No imports, methods, or other definitions are needed; YAML structure is the only change.
| @@ -9,6 +9,8 @@ | ||
|
|
||
| jobs: | ||
| build: | ||
| permissions: | ||
| contents: read | ||
| name: "Code Coverage" | ||
| env: | ||
| ASPNETCORE_ENVIRONMENT: "Production" |
2 participants
No description provided.