Enable private key export and import #76
Conversation
0xnullifier
force-pushed
the
utk-enable-privkey-export-import
branch
from
5ddcb12 to
d87b5f3
Compare
|
Marking as draft as this will build upon #78 |
0xnullifier
force-pushed
the
utk-enable-privkey-export-import
branch
from
33c1ea9 to
3875875
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Test | ||
| needs: translations | ||
| # Skip if translations committed - new workflow run will handle it | ||
| if: needs.translations.outputs.committed != 'true' | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check Out Code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Use Node 20 | ||
| uses: actions/setup-node@v3 | ||
| with: | ||
| node-version: 20 | ||
|
|
||
| - name: Run Install | ||
| uses: borales/actions-yarn@v4 | ||
| with: | ||
| cmd: install | ||
|
|
||
| - name: Run ESLint | ||
| uses: borales/actions-yarn@v4 | ||
| with: | ||
| cmd: lint | ||
|
|
||
| - name: Run TypeScript Check | ||
| uses: borales/actions-yarn@v4 | ||
| with: | ||
| cmd: ts | ||
|
|
||
| - name: Run Unit Tests | ||
| uses: borales/actions-yarn@v4 | ||
| with: | ||
| cmd: test | ||
|
|
||
| - name: Install Chrome | ||
| uses: browser-actions/setup-chrome@v1 | ||
|
|
||
| - name: Build chrome | ||
| uses: borales/actions-yarn@v4 | ||
| with: | ||
| cmd: build:chrome | ||
|
|
||
| - name: Install Playwright Browsers | ||
| run: npx playwright install --with-deps chromium | ||
|
|
||
| - name: Run Playwright E2E | ||
| run: xvfb-run -a yarn test:e2e | ||
|
|
||
| coverage: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
In general, the fix is to explicitly add a permissions block to the workflow so that the GITHUB_TOKEN has only the minimum required permissions. We can do this at the workflow root (applies to all jobs) and/or at individual jobs. Here, the ci, coverage, and i18n-check jobs only need read access to repository contents, while the translations job needs to be able to push commits, so it needs contents: write.
The simplest change without altering functionality is:
- Add a root-level
permissionsblock settingcontents: readso all jobs default to read-only access. - Add a
permissionsblock inside thetranslationsjob overriding this default withcontents: writeso thatgit pushcontinues to work. - No other jobs need additional permissions, so they can rely on the restrictive root-level setting.
Concretely:
- In
.github/workflows/pr.yml, insert a root-levelpermissions:section after theon:block. - In the
translationsjob definition, addpermissions:\n contents: writeunderruns-on: ubuntu-latest.
No imports or extra methods are necessary, as this is purely YAML configuration.
| @@ -9,10 +9,15 @@ | ||
| - 'mw-**' | ||
| - 'feat/**' | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| translations: | ||
| name: Update Translation Files | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| outputs: | ||
| committed: ${{ steps.commit.outputs.committed }} | ||
| steps: |
| name: Coverage Check (80% minimum) | ||
| needs: translations | ||
| # Skip if translations committed - new workflow run will handle it | ||
| if: needs.translations.outputs.committed != 'true' | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check Out Code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Use Node 20 | ||
| uses: actions/setup-node@v3 | ||
| with: | ||
| node-version: 20 | ||
|
|
||
| - name: Run Install | ||
| uses: borales/actions-yarn@v4 | ||
| with: | ||
| cmd: install | ||
|
|
||
| - name: Run Coverage Check | ||
| uses: borales/actions-yarn@v4 | ||
| with: | ||
| cmd: test:coverage | ||
|
|
||
| i18n-check: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
To fix the problem, explicitly declare minimal GITHUB_TOKEN permissions so the workflow does not fall back to repository defaults. The safest and simplest change, without altering behavior, is to add a workflow‑level permissions block that grants only read access to repository contents. This will apply to all jobs unless a specific job overrides it. Since the shown jobs (ci, coverage, i18n-check) only check out code and run Node/Yarn/Playwright commands, they only need contents: read.
Concretely:
- Edit
.github/workflows/pr.yml. - After the
name: PR Testsline and before theon:block, add:
permissions:
contents: readThis keeps the change localized, avoids modifying any job steps, and ensures the coverage job (and the others) run with least privilege. No imports or extra methods are needed; it’s purely a YAML configuration change.
| @@ -1,5 +1,8 @@ | ||
| name: PR Tests | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: |
| name: Check for non-i18n'd strings | ||
| needs: translations | ||
| # Skip if translations committed - new workflow run will handle it | ||
| if: needs.translations.outputs.committed != 'true' | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check Out Code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 20 | ||
| cache: yarn | ||
|
|
||
| - name: Install dependencies | ||
| run: yarn install --frozen-lockfile | ||
|
|
||
| - name: Check i18n compliance | ||
| run: yarn lint:i18n |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
In general, the problem is fixed by explicitly defining a permissions: block so that the GITHUB_TOKEN has only the minimal permissions required. For this workflow, most jobs only need read access to repository contents, while the translations job performs a git push and therefore needs contents: write.
The best way to fix this without changing existing functionality is:
- Add a workflow-level
permissions:block right after thename:(beforeon:) that setscontents: read. This will apply to all jobs by default (ci,coverage,i18n-check, and eventranslationsunless overridden). - Add a job-level
permissions:block under thetranslations:job that elevates its permission tocontents: write, since it commits and pushes translation files. This keeps the other jobs at read-only while allowingtranslationsto continue pushing changes.
Concretely:
-
Edit
.github/workflows/pr.yml. -
Insert:
permissions: contents: read
between line 1 (
name: PR Tests) and line 3 (on:). -
Under
translations:(line 13), after thename:(line 14), insert:permissions: contents: write
No additional imports, methods, or external definitions are required; this is purely a YAML workflow configuration change.
| @@ -1,5 +1,8 @@ | ||
| name: PR Tests | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: | ||
| @@ -12,6 +15,8 @@ | ||
| jobs: | ||
| translations: | ||
| name: Update Translation Files | ||
| permissions: | ||
| contents: write | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| committed: ${{ steps.commit.outputs.committed }} |
0xnullifier
changed the base branch from
main
to
utk-fix-import-encrypted-json
0xnullifier
force-pushed
the
utk-fix-import-encrypted-json
branch
from
7221699 to
e17e533
Compare
0xnullifier
force-pushed
the
utk-enable-privkey-export-import
branch
from
2d80ff7 to
1b69e9b
Compare
0xnullifier
force-pushed
the
utk-fix-import-encrypted-json
branch
from
e17e533 to
6ba0d3e
Compare
0xnullifier
force-pushed
the
utk-enable-privkey-export-import
branch
from
1b69e9b to
65c3de8
Compare
importing from file
0xnullifier
force-pushed
the
utk-fix-import-encrypted-json
branch
from
6ba0d3e to
47e3714
Compare
* refactor: unify i18n to use i18next exclusively - Remove custom T/t exports from lib/i18n/react.tsx - Use i18n.changeLanguage() instead of page reload for instant switching - Update getCurrentLocale() to use i18next's current language - Configure $...$ interpolation format in i18next - Update numbers.ts to use i18n.t() directly - Load saved locale from localStorage on init * refactor: migrate components from T/t to useTranslation() * feat: add Language Settings page for runtime language switching * chore: add translations for language settings * feat: add Spanish language support * feat: add Polish language support * refactor: remove en_GB locale, fallback to en for UK users * style: reduce font size in language selector dropdown * style: update language selector header to descriptive text * chore: remove 'Powered by' text from About section * chore: update branding from Demox Labs to Miden * chore: update LICENSE copyright to Miden * style: fix prettier formatting in LocaleSelect * chore: remove redundant test:e2e:ui script * fix: sync locale JSON files from messages.json translations * chore: change About to 'About This App' with translations * fix: keep technical terms (Seed Phrase, Faucet, Note) in English for all locales * fix: keep technical terms in English within translated phrases * fix: keep 'Smart Contract' in English across all translations * chore: replace Aleo/Leo with Miden and remove unused translation keys - Replace all Aleo and Leo references with Miden in English translations - Remove 646 unused translation keys across all 14 locale files - Fix fancy quote characters causing JSON parsing issues * fix: preserve technical terms (Seed Phrase, Faucet, Note) during translation - Add XML-style placeholder protection for technical terms - Add KNOWN_TRANSLATIONS map for 15+ languages to catch escaped terms - Add post-processing to fix any terms that escaped placeholder protection - Handle singular/plural correctly based on English source * chore: remove stale translation keys and fix en/messages.json generation * chore: update translation files --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* fix: settings page bottom toolbar being cut off * fix: TypeScript errors in SeedLengthSelect and ActivityDetails * chore: update translation files * fix: run CI after translations to prevent stale checks * fix: consolidate all PR checks to run after translations * fix: move fork check to step level so job always succeeds * fix: inline all PR jobs into single workflow to avoid reusable workflow issues * fix: skip CI jobs if translations committed (new run will handle it) * fix: E2E tests - fix extension loading and i18n placeholder format --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
0xnullifier
force-pushed
the
utk-enable-privkey-export-import
branch
from
65c3de8 to
adff944
Compare
0xnullifier
force-pushed
the
utk-fix-import-encrypted-json
branch
from
e5ce701 to
97e8b4a
Compare
Closes one part of #64
It changes the seed phrase derived client seed to be used for only secret key generation and thus enables export and import purely based on private keys
Closes Feedback Issue