Feat: Enable Auth Scheme selection #79
Conversation
0xnullifier
force-pushed
the
utk-feat-add-auth-scheme
branch
from
c589836 to
634b42f
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Test | ||
| needs: translations | ||
| # Skip if translations committed - new workflow run will handle it | ||
| if: needs.translations.outputs.committed != 'true' | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check Out Code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Use Node 20 | ||
| uses: actions/setup-node@v3 | ||
| with: | ||
| node-version: 20 | ||
|
|
||
| - name: Run Install | ||
| uses: borales/actions-yarn@v4 | ||
| with: | ||
| cmd: install | ||
|
|
||
| - name: Run ESLint | ||
| uses: borales/actions-yarn@v4 | ||
| with: | ||
| cmd: lint | ||
|
|
||
| - name: Run TypeScript Check | ||
| uses: borales/actions-yarn@v4 | ||
| with: | ||
| cmd: ts | ||
|
|
||
| - name: Run Unit Tests | ||
| uses: borales/actions-yarn@v4 | ||
| with: | ||
| cmd: test | ||
|
|
||
| - name: Install Chrome | ||
| uses: browser-actions/setup-chrome@v1 | ||
|
|
||
| - name: Build chrome | ||
| uses: borales/actions-yarn@v4 | ||
| with: | ||
| cmd: build:chrome | ||
|
|
||
| - name: Install Playwright Browsers | ||
| run: npx playwright install --with-deps chromium | ||
|
|
||
| - name: Run Playwright E2E | ||
| run: xvfb-run -a yarn test:e2e | ||
|
|
||
| coverage: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
To fix this, add an explicit permissions block that follows least privilege. The simplest and safest approach is:
- At the workflow (top) level, set
permissions: contents: readto cover the CI-style jobs that only need to read code and run tests (ci,coverage,i18n-check). - For the
translationsjob, override permissions with a job-levelpermissionsblock that allows writing to repository contents so thatgit pushworks, while keeping other scopes at default minimal levels (i.e., unspecified and thus effectively none).
Concretely:
- Edit
.github/workflows/pr.yml. - After the
name: PR Testsline, add a top-levelpermissions:block withcontents: read. - Under the
translations:job (same indentation level asname,runs-on), add apermissions:block withcontents: write.
This keeps existing functionality: translations can still commit and push translation updates, while the rest of the jobs have only read access to repo contents. No other imports or definitions are needed, as this is pure YAML configuration for GitHub Actions.
| @@ -1,5 +1,8 @@ | ||
| name: PR Tests | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: | ||
| @@ -13,6 +16,8 @@ | ||
| translations: | ||
| name: Update Translation Files | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| outputs: | ||
| committed: ${{ steps.commit.outputs.committed }} | ||
| steps: |
| name: Coverage Check (80% minimum) | ||
| needs: translations | ||
| # Skip if translations committed - new workflow run will handle it | ||
| if: needs.translations.outputs.committed != 'true' | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check Out Code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Use Node 20 | ||
| uses: actions/setup-node@v3 | ||
| with: | ||
| node-version: 20 | ||
|
|
||
| - name: Run Install | ||
| uses: borales/actions-yarn@v4 | ||
| with: | ||
| cmd: install | ||
|
|
||
| - name: Run Coverage Check | ||
| uses: borales/actions-yarn@v4 | ||
| with: | ||
| cmd: test:coverage | ||
|
|
||
| i18n-check: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
In general, the problem is fixed by explicitly specifying a permissions: block for the workflow or for individual jobs, granting only the minimal scopes needed. Since all of the shown jobs only need to read the repository contents (via actions/checkout) and do not perform any write operations back to GitHub, setting contents: read is sufficient and aligns with the CodeQL “minimal starting point” suggestion.
The best way to fix this without changing existing functionality is to add a top‑level permissions: block right under the workflow name: and before the on: key in .github/workflows/pr.yml. This way, the permission setting applies to all jobs that do not override it (which includes translations, ci, coverage, and i18n-check as shown). Concretely, you should insert:
permissions:
contents: readbetween the existing line name: PR Tests and the on: block. No changes are needed inside the individual jobs, and no imports or additional methods are required since this is purely a workflow configuration change.
| @@ -1,5 +1,8 @@ | ||
| name: PR Tests | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: |
| name: Check for non-i18n'd strings | ||
| needs: translations | ||
| # Skip if translations committed - new workflow run will handle it | ||
| if: needs.translations.outputs.committed != 'true' | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check Out Code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 20 | ||
| cache: yarn | ||
|
|
||
| - name: Install dependencies | ||
| run: yarn install --frozen-lockfile | ||
|
|
||
| - name: Check i18n compliance | ||
| run: yarn lint:i18n |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
In general, the fix is to add an explicit permissions block to the workflow and/or individual jobs so that the GITHUB_TOKEN has only the minimal scopes required. Jobs that don’t need to modify repository contents (like ci, coverage, and i18n-check) should have contents: read. The translations job, which commits and pushes generated translation files back to the repo, needs contents: write.
The cleanest way to do this without changing behavior is:
- Add a workflow-level
permissions: contents: readso that all jobs default to read-only. - Override the
translationsjob withpermissions: contents: writeso it can still push changes.
This addresses the CodeQL warning (including fori18n-check) and enforces least privilege. No additional imports or external dependencies are required; all changes are within.github/workflows/pr.yml.
Concretely:
- Edit
.github/workflows/pr.ymlnear the top to add:
permissions:
contents: readright after the name: PR Tests (and before on:).
- Edit the
translationsjob definition to add:
permissions:
contents: writebetween runs-on: ubuntu-latest and outputs:.
| @@ -1,5 +1,8 @@ | ||
| name: PR Tests | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: | ||
| @@ -13,6 +16,8 @@ | ||
| translations: | ||
| name: Update Translation Files | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| outputs: | ||
| committed: ${{ steps.commit.outputs.committed }} | ||
| steps: |
0xnullifier
changed the base branch from
main
to
utk-enable-privkey-export-import
0xnullifier
force-pushed
the
utk-enable-privkey-export-import
branch
3 times, most recently
from
65c3de8 to
adff944
Compare
0xnullifier
force-pushed
the
utk-feat-add-auth-scheme
branch
from
4386ca1 to
a6a5b93
Compare
Closes 0xMiden/feedback#121
This is how the extra step looks like
Content is subject to change