Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| strategy: | ||
| max-parallel: 1 | ||
| matrix: | ||
| distribution: ["zulu", "temurin"] | ||
| java: ["8", "17"] | ||
| name: Java ${{ matrix.java }} (${{ matrix.distribution }}) | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: sdk-gen | ||
| - name: Setup Java | ||
| uses: actions/setup-java@v4 | ||
| with: | ||
| distribution: ${{ matrix.distribution }} | ||
| java-version: ${{ matrix.java }} | ||
| cache: "gradle" | ||
| - name: All Tests | ||
| env: | ||
| JWT_CONFIG_BASE_64: ${{ secrets.JWT_CONFIG_BASE_64 }} | ||
| ADMIN_USER_ID: ${{ secrets.ADMIN_USER_ID }} | ||
| CLIENT_ID: ${{ secrets.CLIENT_ID }} | ||
| CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }} | ||
| USER_ID: ${{ secrets.USER_ID }} | ||
| ENTERPRISE_ID: ${{ secrets.ENTERPRISE_ID }} | ||
| BOX_FILE_REQUEST_ID: ${{ secrets.BOX_FILE_REQUEST_ID }} | ||
| BOX_EXTERNAL_USER_EMAIL: ${{ secrets.BOX_EXTERNAL_USER_EMAIL }} | ||
| BOX_EXTERNAL_USER_ID: ${{ secrets.BOX_EXTERNAL_USER_ID }} | ||
| APP_ITEM_ASSOCIATION_FILE_ID: ${{ secrets.APP_ITEM_ASSOCIATION_FILE_ID }} | ||
| APP_ITEM_ASSOCIATION_FOLDER_ID: ${{ secrets.APP_ITEM_ASSOCIATION_FOLDER_ID }} | ||
| WORKFLOW_FOLDER_ID: ${{ secrets.WORKFLOW_FOLDER_ID }} | ||
| APP_ITEM_SHARED_LINK: ${{ secrets.APP_ITEM_SHARED_LINK }} | ||
| SLACK_AUTOMATION_USER_ID: ${{ secrets.SLACK_AUTOMATION_USER_ID }} | ||
| SLACK_ORG_ID: ${{ secrets.SLACK_ORG_ID }} | ||
| SLACK_PARTNER_ITEM_ID: ${{ secrets.SLACK_PARTNER_ITEM_ID }} | ||
| run: ./gradlew check --stacktrace | ||
| - name: Coverage | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: ./gradlew jacocoTestReport coverallsJacoco | ||
| notify: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To address the issue, you should explicitly set the permissions block in your GitHub Actions workflow. This can be done at the workflow (top) level, which will apply to all jobs unless overridden, or at the individual job level if different jobs require different permissions. Since neither shown job appears to need write permissions, adding permissions: contents: read at the workflow level is both safe and sufficient. This will restrict the GITHUB_TOKEN to read-only permission for the repository contents (the minimal privilege for most workflows). Place this block immediately after the name and before the on: key at the top of the file. No additional YAML imports or definitions are required.
| @@ -1,4 +1,6 @@ | ||
| name: Build and Test daily (sdk-gen) | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| schedule: | ||
| - cron: "20 1 * * 1-5" |
| name: Send Slack Notification | ||
| runs-on: ubuntu-latest | ||
| needs: [build-and-test] | ||
| if: always() | ||
| steps: | ||
| - name: Send Slack Notification | ||
| env: | ||
| SLACK_WEBHOOK_TEST_NOTIFICATION_URL: ${{ secrets.SLACK_WEBHOOK_TEST_NOTIFICATION_URL }} | ||
| BUILD_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | ||
| run: | | ||
| if [ "${{ needs.build-and-test }}" != "success" ]; then | ||
| STATUS="Failure ❌" | ||
| else | ||
| STATUS="Success ✅" | ||
| fi | ||
|
|
||
| curl -X POST -H "Content-Type: application/json" \ | ||
| --data "{\"text\":\"<${BUILD_URL}|Daily Tests Job> in *${GITHUB_REPOSITORY}* finished with status: ${STATUS}\"}" \ | ||
| "$SLACK_WEBHOOK_TEST_NOTIFICATION_URL |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix the problem, explicitly specify the minimal permissions the job requires by adding permissions: at the job level. In this case, the notify job does not use the GITHUB_TOKEN, nor does it need any API access, so the permissions: none value is appropriate. This line should be added in the job definition before any steps, typically immediately after runs-on: ubuntu-latest. Only .github/workflows/build-and-test-daily.yml is affected.
| @@ -48,6 +48,7 @@ | ||
| notify: | ||
| name: Send Slack Notification | ||
| runs-on: ubuntu-latest | ||
| permissions: none | ||
| needs: [build-and-test] | ||
| if: always() | ||
| steps: |
Pull Request Test Coverage Report for Build #4822Details
💛 - Coveralls |
Pull Request Test Coverage Report for Build #4813Details
💛 - Coveralls |
Pull Request Test Coverage Report for Build #4815Details
💛 - Coveralls |
Pull Request Test Coverage Report for Build #4812Details
💛 - Coveralls |
Pull Request Test Coverage Report for Build #4814Details
💛 - Coveralls |
3 participants
Looks like we don't need to adjust coveralls, as it should report coverage of the currently check out branch locally (tested locally - https://coveralls.io/github/box/box-java-sdk-gen?branch=test-branch