ci: Update workflows #21
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR updates GitHub Actions workflows to use reusable workflows from a centralized repository (intel/mfd) instead of local workflow files, standardizing CI/CD processes across projects.
- Replaces local workflow implementations with calls to centralized reusable workflows
- Standardizes workflow naming conventions with proper capitalization
- Adds new workflows for dependency review, code standard checking, and PR format validation
Reviewed Changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/run_tests.yml | New workflow for running unit and functional tests using centralized workflow |
| .github/workflows/pull_requests.yml | Simplified to use centralized pull request workflow with cleaner matrix configuration |
| .github/workflows/manual_release.yml | Updated to use centralized manual release workflow with simplified matrix |
| .github/workflows/main.yml | New main branch CI build workflow using centralized workflow |
| .github/workflows/dependency_review.yml | New workflow for dependency review using centralized workflow |
| .github/workflows/codeql.yml | Replaced local CodeQL implementation with centralized workflow |
| .github/workflows/check_pr_format.yml | New workflow for PR title and commit validation |
| .github/workflows/check_code_standard.yml | New workflow for code standard checking |
| .github/dependency_review.yml | Configuration file for dependency review settings |
| .github/dependabot.yml | Configuration for automated dependency updates |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| uses: intel/mfd/.github/workflows/check_pr_format.yml@main | ||
| with: | ||
| REPOSITORY_NAME: ${{ github.event.pull_request.head.repo.full_name }} | ||
| BRANCH_NAME: ${{ github.head_ref }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To fix this issue, add an explicit permissions block to the workflow file .github/workflows/check_pr_format.yml. Since the job delegates execution to a reusable workflow via uses: intel/mfd/.github/workflows/check_pr_format.yml@main and there are no steps run locally, the minimal sensible permissions are contents: read, which allows workflows to read project files for validation without granting write access. If the workflow ever needs to update pull requests (i.e., comment gates, status checks), you could additionally allow pull-requests: write, but the safest initial configuration is contents: read only. You should add the permissions block at the top level (beneath the name: declaration), ensuring it applies to all jobs unless overridden. This change will ensure GITHUB_TOKEN is restricted appropriately whenever the workflow runs.
The change is a single block addition after the name: line in .github/workflows/check_pr_format.yml. No imports or code changes outside this file are required.
| @@ -1,4 +1,6 @@ | ||
| name: Title + Commit Validation | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: |
|
|
||
| jobs: | ||
| dependency_review: | ||
| uses: intel/mfd/.github/workflows/dependency_review.yml@main |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To fix the problem, you should add a permissions block at the root of the workflow file .github/workflows/dependency_review.yml. This block comes directly below the workflow name and above the on block. Based on least privilege principles and the nature of dependency review actions, the minimal required starting point for this workflow is likely contents: read. If further permissions are ever required, they can be added or elevated per job as needed, but specifying contents: read at the workflow root prevents accidental use of broad defaults.
| @@ -1,4 +1,6 @@ | ||
| name: Dependency Review | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: |
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| python_version: ['3.10', '3.13'] | ||
| uses: intel/mfd/.github/workflows/main.yml@main | ||
| secrets: | ||
| GH_TOKEN: ${{ secrets.GH_TOKEN }} | ||
| with: | ||
| REPOSITORY_NAME: ${{ github.repository }} | ||
| BRANCH_NAME: ${{ github.ref_name }} | ||
| PYTHON_VERSION: ${{ matrix.python_version }} | ||
| PROJECT_NAME: 'mfd-network-adapter' |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To fix the problem, explicitly specify a restrictive permissions block in the workflow file to ensure the GITHUB_TOKEN granted to this workflow/job only allows the minimum required privileges. The most conservative general starting point is permissions: {}; that is, no permissions by default. If the workflow requires specific permissions (such as to read public repository contents), use contents: read. Since the job uses a reusable workflow and the details of token usage are not shown, the widely accepted minimal default for most workflows is contents: read. The permissions block should be added at the job level under build_whl (especially since this job uses an external workflow). To implement the fix, insert the permissions: {} or permissions: contents: read (depending on whether any actions require content access) block at line 10, respecting the YAML structure and indentation.
| @@ -7,6 +7,8 @@ | ||
|
|
||
| jobs: | ||
| build_whl: | ||
| permissions: | ||
| contents: read | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: |
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| os: [ubuntu-latest, windows-latest] | ||
| python_version: ['3.10', '3.13'] | ||
| uses: intel/mfd/.github/workflows/run_tests.yml@main | ||
| with: | ||
| PYTHON_VERSION: ${{ matrix.python_version }} | ||
| RUNS_ON: ${{ matrix.os }} | ||
| PROJECT_NAME: 'mfd-network-adapter' |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To resolve the issue, an explicit permissions block should be added at the YAML workflow root level (line 2-3), to restrict all jobs to the minimum required privileges. Since this workflow only runs tests and there is no obvious need for any write access, the safest default for CI pipelines is contents: read. This will ensure that the GITHUB_TOKEN only receives read access to the repository contents, and no write access. If future jobs require more (for example, write access to issues or PRs), permissions can be expanded, but contents: read is the recommended minimal starting point. This change should be made at the root, immediately following the workflow's name field and before the on: block.
| @@ -1,4 +1,6 @@ | ||
| name: Run Tests (ut + ft) | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: |
|
We don't publish DEVs .whl. |
Signed-off-by: Hubert Cymerys <hubert.cymerys@intel.com>
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| python_version: ['3.10', '3.13'] | ||
| uses: intel/mfd/.github/workflows/check_code_standard.yml@main | ||
| with: | ||
| REPOSITORY_NAME: ${{ github.event.pull_request.head.repo.full_name }} | ||
| BRANCH_NAME: ${{ github.head_ref }} | ||
| PYTHON_VERSION: ${{ matrix.python_version }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
General fix:
To resolve this, add a permissions block specifying the minimal required privileges, as close to the jobs using them as possible. In most cases, adding a top-level permissions block with read on contents is both safe and effective for most workflows that only check or lint code.
Specific fix for this code:
Add a permissions block at the workflow (root) level in .github/workflows/check_code_standard.yml, under the name and before on:, specifying the minimum privilege necessary. If the inner, called workflow intel/mfd/.github/workflows/check_code_standard.yml@main or this wrapper only requires code checkout or reading, then the safest setting is:
permissions:
contents: readIf more permissions are needed, e.g. for modifying PRs, this can be adjusted, but by default, contents: read is a minimal safe starting point.
Files/Lines to change:
Edit .github/workflows/check_code_standard.yml:
Insert a permissions: block (with contents: read) after the name: field, before (or after) any blank lines but before on:.
| @@ -1,4 +1,6 @@ | ||
| name: Check Code Standard | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: |
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated no new comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
No description provided.