Skip to content

LunaroptAI2 #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
KalCola merged 10 commits into from
Mar 3, 2026
Merged

LunaroptAI2 #6

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
44610a2
Remove the EthicalCheck action step from the workflow
KalCola Mar 1, 2026
0795f25
Update node.js.yml
KalCola Mar 1, 2026
e6db7cd
Potential fix for code scanning alert no. 3: Workflow does not contai…
KalCola Mar 1, 2026
79c6abc
Delete .github/workflows/ethicalcheck.yml
KalCola Mar 1, 2026
1b4ecd3
Potential fix for code scanning alert no. 5: Workflow does not contai…
KalCola Mar 1, 2026
a96a353
Create npm-publish-github-packages.yml
KalCola Mar 1, 2026
d44e0d2
Create stale.yml
KalCola Mar 1, 2026
6d6fa1e
Update package-lock.json
KalCola Mar 1, 2026
2354cfa
Potential fix for code scanning alert no. 6: Workflow does not contai…
KalCola Mar 1, 2026
99a54af
Merge branch 'KalCola-patch-1' into main
KalCola Mar 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 0 additions & 20 deletions .github/workflows/ethicalcheck.yml
View file
Open in desktop

This file was deleted.

47 changes: 47 additions & 0 deletions .github/workflows/node.js.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@

name: Node.js CI

permissions:
contents: read

on:
push:
branches: [ "main" ]
Expand All @@ -29,3 +32,47 @@ jobs:
- run: npm ci
- run: npm run build --if-present
- run: npm test
Comment on lines +18 to +34

Check warning

Code scanning / CodeQL

Workflow does not contain permissions

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

Copilot Autofix

AI 13 days ago

In general, the fix is to explicitly declare a restrictive permissions block for the workflow or for the individual job, rather than relying on repository/organization defaults. For a simple CI workflow that only checks out code and runs builds/tests, contents: read is typically sufficient and matches the minimal access CodeQL suggests.

The best fix here is to add a root-level permissions block right under the workflow name (or under on:) so it applies to all jobs that don’t override it. Since the build job only uses actions/checkout and runs local Node.js commands (npm ci, npm run build, npm test) and does not interact with issues, PRs, or packages, it only needs read access to repository contents. Concretely, in .github/workflows/node.js.yml, add:

permissions:
  contents: read

near the top of the file, without changing any existing steps or behavior. No additional imports or methods are needed, as this is purely a YAML configuration change.

Suggested changeset 1
.github/workflows/node.js.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml
--- a/.github/workflows/node.js.yml
+++ b/.github/workflows/node.js.yml
@@ -3,6 +3,9 @@
 
 name: Node.js CI
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ "main" ]
EOF
@@ -3,6 +3,9 @@

name: Node.js CI

permissions:
contents: read

on:
push:
branches: [ "main" ]
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
- name: Setup Java JDK
uses: actions/setup-java@v5.2.0
with:
# The Java version to set up. Takes a whole or semver Java version. See examples of supported syntax in README file
java-version: # optional
# The path to the `.java-version` file. See examples of supported syntax in README file
java-version-file: # optional
# Java distribution. See the list of supported distributions in README file
distribution:
# The package type (jdk, jre, jdk+fx, jre+fx)
java-package: # optional, default is jdk
# The architecture of the package (defaults to the action runner's architecture)
architecture: # optional
# Path to where the compressed JDK is located
jdkFile: # optional
# Set this option if you want the action to check for the latest available version that satisfies the version spec
check-latest: # optional
# ID of the distributionManagement repository in the pom.xml file. Default is `github`
server-id: # optional, default is github
# Environment variable name for the username for authentication to the Apache Maven repository. Default is $GITHUB_ACTOR
server-username: # optional, default is GITHUB_ACTOR
# Environment variable name for password or token for authentication to the Apache Maven repository. Default is $GITHUB_TOKEN
server-password: # optional, default is GITHUB_TOKEN
# Path to where the settings.xml file will be written. Default is ~/.m2.
settings-path: # optional
# Overwrite the settings.xml file if it exists. Default is "true".
overwrite-settings: # optional, default is true
# GPG private key to import. Default is empty string.
gpg-private-key: # optional
# Environment variable name for the GPG private key passphrase. Default is $GPG_PASSPHRASE.
gpg-passphrase: # optional
# Name of the build platform to cache dependencies. It can be "maven", "gradle" or "sbt".
cache: # optional
# The path to a dependency file: pom.xml, build.gradle, build.sbt, etc. This option can be used with the `cache` option. If this option is omitted, the action searches for the dependency file in the entire repository. This option supports wildcards and a list of file names for caching multiple dependencies.
cache-dependency-path: # optional
# Workaround to pass job status to post job step. This variable is not intended for manual setting
job-status: # optional, default is ${{ job.status }}
# The token used to authenticate when fetching version manifests hosted on github.com, such as for the Microsoft Build of OpenJDK. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting.
token: # optional, default is ${{ github.server_url == 'https://github.com' && github.token || '' }}
# Name of Maven Toolchain ID if the default name of "${distribution}_${java-version}" is not wanted. See examples of supported syntax in Advanced Usage file
mvn-toolchain-id: # optional
# Name of Maven Toolchain Vendor if the default name of "${distribution}" is not wanted. See examples of supported syntax in Advanced Usage file
mvn-toolchain-vendor: # optional

36 changes: 36 additions & 0 deletions .github/workflows/npm-publish-github-packages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages

name: Node.js Package

on:
release:
types: [created]

jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
- run: npm ci
- run: npm test

publish-gpr:
needs: build
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
registry-url: https://npm.pkg.github.com/
- run: npm ci
- run: npm publish
env:
NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
Loading