Skip to content

ci: improvements #1254

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

ci: improvements #1254

wants to merge 2 commits into from

Conversation

@calebdoxsey
Copy link
Contributor

@calebdoxsey calebdoxsey commented Oct 17, 2025

Summary

Some improvements for CI:

  1. Fix the doc generation so that pre-commit doesn't complain about newly generated docs

...

Checklist

  • reference any related issues
  • updated docs
  • updated unit tests
  • updated UPGRADING.md
  • add appropriate tag (improvement / bug / etc)
  • ready for review

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 17, 2025
View reviewed changes
.github/workflows/reusable-build.yaml
Comment on lines +12 to +28
name: Build
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
ref: ${{ inputs.ref }}

- name: Setup Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00
with:
go-version: 1.24.x

- name: Build
run: make build

lint:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 20 days ago

To fix this problem, we should add a permissions block to the workflow file. The safest and simplest way is to apply the permissions block at the workflow root, which sets the minimal permissions for all jobs unless overridden per job. Since none of the jobs require write access to repository contents or other resources, the recommended minimal permissions are contents: read. This restricts GITHUB_TOKEN to only read repository contents, which suffices for actions like actions/checkout and is inline with least privilege. The change should be made right after the name: and on: blocks, before the jobs: block. No further changes, methods, or imports are needed beyond this YAML addition.

Suggested changeset 1
.github/workflows/reusable-build.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/reusable-build.yaml b/.github/workflows/reusable-build.yaml
--- a/.github/workflows/reusable-build.yaml
+++ b/.github/workflows/reusable-build.yaml
@@ -1,5 +1,8 @@
 name: Build
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
EOF
@@ -1,5 +1,8 @@
name: Build

permissions:
contents: read

on:
workflow_call:
inputs:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/reusable-build.yaml
Comment on lines +29 to +53
name: Lint
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
fetch-depth: 0
ref: ${{ inputs.ref }}

- name: Setup Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00
with:
go-version: 1.24.x
cache: false

- run: make envoy
- run: make pomerium-ui

- name: Run golangci-lint
uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84
with:
version: v1.64.8
args: --timeout=10m

pre-commit:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 20 days ago

To fix the issue, add a permissions block to the workflow file to explicitly restrict the GITHUB_TOKEN. The minimal secure default is permissions: contents: read either at the workflow root (applies to all jobs unless overridden) or for each job as needed. Since none of these jobs appear to need write permissions (they only check out code, build, lint, and run tests), setting the root-level permissions is sufficient and robust. The change should be made at the top level, after the name: and before on:, to ensure all jobs inherit the least privilege possible.

No method changes or additional imports are required—just the addition of a new YAML key.

Suggested changeset 1
.github/workflows/reusable-build.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/reusable-build.yaml b/.github/workflows/reusable-build.yaml
--- a/.github/workflows/reusable-build.yaml
+++ b/.github/workflows/reusable-build.yaml
@@ -1,4 +1,6 @@
 name: Build
+permissions:
+  contents: read
 
 on:
   workflow_call:
EOF
@@ -1,4 +1,6 @@
name: Build
permissions:
contents: read

on:
workflow_call:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/reusable-build.yaml
Comment on lines +54 to +85
name: Pre-Commit
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
fetch-depth: 0
ref: ${{ inputs.ref }}

- name: Setup Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00
with:
go-version: 1.24.x

- name: Setup Python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c
with:
python-version: "3.x"

- name: Install Kustomize
run: make kustomize

- name: Pre-Commit
uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd
with:
extra_args: --show-diff-on-failure --from-ref ${{
github.event.pull_request.base.sha }} --to-ref ${{
github.event.pull_request.head.sha }}
env:
SKIP: go-mod-tidy,lint

test:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 20 days ago

The best way to fix the problem is to explicitly add a permissions block to restrict the default permissions of the GITHUB_TOKEN for the affected job(s). In this case, we should add permissions: { contents: read } to the pre-commit job in the reusable-build.yaml workflow (directly beneath the name / runs-on keys for that job). This ensures the job only has read access to repository contents, which is sufficient for checkout and running pre-commit checks. No code needs to be changed elsewhere and functionality will not be affected since none of the steps write to the repository or require elevated privileges.

Suggested changeset 1
.github/workflows/reusable-build.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/reusable-build.yaml b/.github/workflows/reusable-build.yaml
--- a/.github/workflows/reusable-build.yaml
+++ b/.github/workflows/reusable-build.yaml
@@ -53,6 +53,8 @@
   pre-commit:
     name: Pre-Commit
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
EOF
@@ -53,6 +53,8 @@
pre-commit:
name: Pre-Commit
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/reusable-build.yaml
Comment on lines +86 to +105
name: Test
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
fetch-depth: 0
ref: ${{ inputs.ref }}

- name: Setup Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00
with:
go-version: 1.24.x

- name: set env vars
run: echo "$(go env GOPATH)/bin" >> $GITHUB_PATH

- name: Test
if: runner.os == 'Linux'
run: make test

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 20 days ago

To fix the problem, add an explicit permissions block at the root of the workflow YAML file. Specify contents: read as the minimal required permission for these jobs, since none of them appear to need write access or elevated privileges. This change should be made at the top level of .github/workflows/reusable-build.yaml, ideally just after the name: and before the on: block, to set the default for all jobs. No changes to existing functionality or step logic are needed, and no imports or external references are required.

Suggested changeset 1
.github/workflows/reusable-build.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/reusable-build.yaml b/.github/workflows/reusable-build.yaml
--- a/.github/workflows/reusable-build.yaml
+++ b/.github/workflows/reusable-build.yaml
@@ -1,4 +1,6 @@
 name: Build
+permissions:
+  contents: read
 
 on:
   workflow_call:
EOF
@@ -1,4 +1,6 @@
name: Build
permissions:
contents: read

on:
workflow_call:
Copilot is powered by AI and may make mistakes. Always verify output.
@calebdoxsey calebdoxsey closed this Nov 4, 2025
@calebdoxsey calebdoxsey deleted the cdoxsey/improvements branch November 4, 2025 01:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@calebdoxsey