repo: CI workflow cleanup and repository configuration alignment#48
repo: CI workflow cleanup and repository configuration alignment#48chrismaz11 wants to merge 2 commits intomasterfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: 22 | ||
| cache: npm | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Compile contracts | ||
| run: npm run build:contracts |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 days ago
In general, the fix is to add an explicit permissions: block that grants only the minimal required scopes for GITHUB_TOKEN. For a build-only workflow that just checks out the repo and installs/builds code, contents: read is sufficient.
The best minimal, non-functional-change fix here is to add a root-level permissions: block under the workflow name: and on: section (or immediately after on:) to apply to all jobs (currently just contracts-build). We will set contents: read, which allows checkout and read access but prevents unintended writes. No additional imports or methods are needed since this is YAML configuration only.
Concretely, in .github/workflows/contracts-ci.yml, insert:
permissions:
contents: readat the workflow root, between the on: block (ending at line 14) and the jobs: key (line 16). This documents the permissions and ensures the workflow does not accidentally inherit broader defaults.
| @@ -13,6 +13,9 @@ | ||
| - "packages/contracts/**" | ||
| - ".github/workflows/contracts-ci.yml" | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| contracts-build: | ||
| runs-on: ubuntu-latest |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: 22 | ||
|
|
||
| - name: Run messaging guardrail check | ||
| run: npm run messaging:check |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 days ago
To fix this, explicitly limit the GITHUB_TOKEN permissions in the workflow to the minimum needed. This job only needs to read repository contents to check out code and run an npm script, so we can safely set contents: read at the workflow root. Adding a top-level permissions block applies to all jobs that do not override it, matching current behavior but with explicit least-privilege settings.
Concretely, in .github/workflows/messaging-guardrails.yml, add a permissions: section near the top-level, alongside name: and on:. For this workflow, a minimal and appropriate block is:
permissions:
contents: readNo other changes, imports, or new definitions are required, and existing functionality remains the same while documenting and constraining token permissions.
| @@ -1,5 +1,8 @@ | ||
| name: TrustSignal Messaging Guardrails | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| paths: |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f06e381ce5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| run: npm ci | ||
|
|
||
| - name: Compile contracts | ||
| run: npm run build:contracts |
There was a problem hiding this comment.
This job runs npm run build:contracts, but the repository scripts do not define build:contracts in package.json, so the workflow fails immediately with “Missing script” whenever it is triggered instead of compiling contracts. Please either add that script at the root or invoke the workspace build command directly.
Useful? React with 👍 / 👎.
| node-version: 22 | ||
|
|
||
| - name: Run messaging guardrail check | ||
| run: npm run messaging:check |
There was a problem hiding this comment.
The workflow executes npm run messaging:check, but no messaging:check script exists in the repo’s package.json, so this guardrail job will fail on every matching PR with a missing-script error. Add the script or run the shell check script directly so the workflow can actually validate messaging.
Useful? React with 👍 / 👎.
| FILES=( | ||
| "$ROOT/README.md" | ||
| "$ROOT/USER_MANUAL.md" | ||
| "$ROOT/apps/web/src/app" |
There was a problem hiding this comment.
This checker claims to validate public-facing messaging, but its FILES list omits docs/** even though the workflow is configured to run on docs changes, so risky claims introduced in docs can pass without detection. Include the docs directory in the scan targets (or drop docs from workflow triggers) to avoid this false-negative path.
Useful? React with 👍 / 👎.
1 participant
Standardizes CI workflows, repository configuration, and guardrail scripts to better align automation and validation with the current TrustSignal architecture.