Jm test1 - Is dev any different? #154
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…er docs Changed "Windows 10" to "Windows" in remoteworkdelivery section to keep messaging simple and future-proof. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+21
to
+36
| determine-environment: | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| environment: ${{ steps.set-env.outputs.environment }} | ||
| steps: | ||
| - name: Determine environment | ||
| id: set-env | ||
| run: | | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | ||
| echo "environment=${{ github.event.inputs.environment }}" >> $GITHUB_OUTPUT | ||
| elif [[ "${{ github.ref }}" == "refs/heads/main" ]]; then | ||
| echo "environment=production" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "environment=development" >> $GITHUB_OUTPUT | ||
| fi | ||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
The optimal fix is to add an explicit permissions: block restricting GITHUB_TOKEN scopes for the jobs that do not already have one, or at the workflow root to cover all jobs by default. For this workflow, the build job already has permissions: contents: read, but the determine-environment job is missing a permissions block. Since determine-environment only runs shell checks and sets an output, it should receive the absolute minimal permissions, typically contents: read. Optionally, if even read access is not needed, you may set all permissions to none, but contents: read is the standard minimal value. To ensure all future jobs are also limited by default, you may also add a workflow root-level permissions: block, but for this fix, we will add a minimal permissions block just for the flagged job.
Edit .github/workflows/build-and-deploy.yml and add
permissions:
contents: readunder the determine-environment: job (line 21), e.g., right after runs-on: before outputs:.
Suggested changeset
1
.github/workflows/build-and-deploy.yml
| @@ -19,6 +19,8 @@ | ||
| jobs: | ||
| determine-environment: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| environment: ${{ steps.set-env.outputs.environment }} | ||
| steps: |
Copilot is powered by AI and may make mistakes. Always verify output.
Comment on lines
+101
to
+202
| deploy: | ||
| runs-on: ubuntu-latest | ||
| needs: [build, determine-environment] | ||
| environment: ${{ needs.determine-environment.outputs.environment }} | ||
|
|
||
| steps: | ||
| - name: Download build artifact | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: build-output | ||
| path: build/ | ||
|
|
||
| - name: Install azcopy | ||
| run: | | ||
| wget -O azcopy.tar.gz https://aka.ms/downloadazcopy-v10-linux | ||
| tar -xf azcopy.tar.gz --strip-components=1 | ||
| sudo mv azcopy /usr/local/bin/ | ||
| azcopy --version | ||
| - name: Install Azure CLI | ||
| run: | | ||
| if ! command -v az &> /dev/null; then | ||
| curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash | ||
| fi | ||
| az version | ||
| - name: Upload to Azure Blob Storage with AzCopy and comprehensive MIME types | ||
| run: | | ||
| echo "Deploying to ${{ needs.determine-environment.outputs.environment }} environment" | ||
| echo "Starting high-performance sync of changed files with proper MIME types..." | ||
| # Create SAS token for azcopy (using account key) | ||
| end_date=$(date -u -d "30 minutes" '+%Y-%m-%dT%H:%MZ') | ||
| sas_token=$(az storage container generate-sas \ | ||
| --account-name ${{ secrets.STORAGE_ACCOUNT_NAME }} \ | ||
| --account-key ${{ secrets.STORAGE_ACCOUNT_KEY }} \ | ||
| --name '$web' \ | ||
| --permissions dlrw \ | ||
| --expiry $end_date \ | ||
| --output tsv) | ||
| azcopy sync "./build/" \ | ||
| "https://${{ secrets.STORAGE_ACCOUNT_NAME }}.blob.core.windows.net/\$web?$sas_token" \ | ||
| --delete-destination=true \ | ||
| --compare-hash=MD5 \ | ||
| --log-level=INFO \ | ||
| --cap-mbps=0 \ | ||
| --block-size-mb=4 | ||
| echo "Sync completed!" | ||
| - name: Set MIME types for all file types | ||
| run: | | ||
| echo "Setting MIME types for all file types..." | ||
| # Web files | ||
| echo "Setting MIME types for web files..." | ||
| az storage blob update-batch --account-name ${{ secrets.STORAGE_ACCOUNT_NAME }} --account-key ${{ secrets.STORAGE_ACCOUNT_KEY }} --source '$web' --pattern "*.css" --content-type "text/css" --if-unmodified-since "1970-01-01T00:00:00Z" --no-progress || true | ||
| az storage blob update-batch --account-name ${{ secrets.STORAGE_ACCOUNT_NAME }} --account-key ${{ secrets.STORAGE_ACCOUNT_KEY }} --source '$web' --pattern "*.js" --content-type "application/javascript" --if-unmodified-since "1970-01-01T00:00:00Z" --no-progress || true | ||
| az storage blob update-batch --account-name ${{ secrets.STORAGE_ACCOUNT_NAME }} --account-key ${{ secrets.STORAGE_ACCOUNT_KEY }} --source '$web' --pattern "*.mjs" --content-type "application/javascript" --if-unmodified-since "1970-01-01T00:00:00Z" --no-progress || true | ||
| az storage blob update-batch --account-name ${{ secrets.STORAGE_ACCOUNT_NAME }} --account-key ${{ secrets.STORAGE_ACCOUNT_KEY }} --source '$web' --pattern "*.json" --content-type "application/json" --if-unmodified-since "1970-01-01T00:00:00Z" --no-progress || true | ||
| az storage blob update-batch --account-name ${{ secrets.STORAGE_ACCOUNT_NAME }} --account-key ${{ secrets.STORAGE_ACCOUNT_KEY }} --source '$web' --pattern "*.html" --content-type "text/html" --if-unmodified-since "1970-01-01T00:00:00Z" --no-progress || true | ||
| az storage blob update-batch --account-name ${{ secrets.STORAGE_ACCOUNT_NAME }} --account-key ${{ secrets.STORAGE_ACCOUNT_KEY }} --source '$web' --pattern "*.htm" --content-type "text/html" --if-unmodified-since "1970-01-01T00:00:00Z" --no-progress || true | ||
| az storage blob update-batch --account-name ${{ secrets.STORAGE_ACCOUNT_NAME }} --account-key ${{ secrets.STORAGE_ACCOUNT_KEY }} --source '$web' --pattern "*.xml" --content-type "application/xml" --if-unmodified-since "1970-01-01T00:00:00Z" --no-progress || true | ||
| az storage blob update-batch --account-name ${{ secrets.STORAGE_ACCOUNT_NAME }} --account-key ${{ secrets.STORAGE_ACCOUNT_KEY }} --source '$web' --pattern "*.txt" --content-type "text/plain" --if-unmodified-since "1970-01-01T00:00:00Z" --no-progress || true | ||
| # Images | ||
| echo "Setting MIME types for images..." | ||
| az storage blob update-batch --account-name ${{ secrets.STORAGE_ACCOUNT_NAME }} --account-key ${{ secrets.STORAGE_ACCOUNT_KEY }} --source '$web' --pattern "*.png" --content-type "image/png" --if-unmodified-since "1970-01-01T00:00:00Z" --no-progress || true | ||
| az storage blob update-batch --account-name ${{ secrets.STORAGE_ACCOUNT_NAME }} --account-key ${{ secrets.STORAGE_ACCOUNT_KEY }} --source '$web' --pattern "*.jpg" --content-type "image/jpeg" --if-unmodified-since "1970-01-01T00:00:00Z" --no-progress || true | ||
| az storage blob update-batch --account-name ${{ secrets.STORAGE_ACCOUNT_NAME }} --account-key ${{ secrets.STORAGE_ACCOUNT_KEY }} --source '$web' --pattern "*.jpeg" --content-type "image/jpeg" --if-unmodified-since "1970-01-01T00:00:00Z" --no-progress || true | ||
| az storage blob update-batch --account-name ${{ secrets.STORAGE_ACCOUNT_NAME }} --account-key ${{ secrets.STORAGE_ACCOUNT_KEY }} --source '$web' --pattern "*.gif" --content-type "image/gif" --if-unmodified-since "1970-01-01T00:00:00Z" --no-progress || true | ||
| az storage blob update-batch --account-name ${{ secrets.STORAGE_ACCOUNT_NAME }} --account-key ${{ secrets.STORAGE_ACCOUNT_KEY }} --source '$web' --pattern "*.webp" --content-type "image/webp" --if-unmodified-since "1970-01-01T00:00:00Z" --no-progress || true | ||
| az storage blob update-batch --account-name ${{ secrets.STORAGE_ACCOUNT_NAME }} --account-key ${{ secrets.STORAGE_ACCOUNT_KEY }} --source '$web' --pattern "*.svg" --content-type "image/svg+xml" --if-unmodified-since "1970-01-01T00:00:00Z" --no-progress || true | ||
| az storage blob update-batch --account-name ${{ secrets.STORAGE_ACCOUNT_NAME }} --account-key ${{ secrets.STORAGE_ACCOUNT_KEY }} --source '$web' --pattern "*.ico" --content-type "image/x-icon" --if-unmodified-since "1970-01-01T00:00:00Z" --no-progress || true | ||
| # Fonts | ||
| echo "Setting MIME types for fonts..." | ||
| az storage blob update-batch --account-name ${{ secrets.STORAGE_ACCOUNT_NAME }} --account-key ${{ secrets.STORAGE_ACCOUNT_KEY }} --source '$web' --pattern "*.woff" --content-type "font/woff" --if-unmodified-since "1970-01-01T00:00:00Z" --no-progress || true | ||
| az storage blob update-batch --account-name ${{ secrets.STORAGE_ACCOUNT_NAME }} --account-key ${{ secrets.STORAGE_ACCOUNT_KEY }} --source '$web' --pattern "*.woff2" --content-type "font/woff2" --if-unmodified-since "1970-01-01T00:00:00Z" --no-progress || true | ||
| az storage blob update-batch --account-name ${{ secrets.STORAGE_ACCOUNT_NAME }} --account-key ${{ secrets.STORAGE_ACCOUNT_KEY }} --source '$web' --pattern "*.ttf" --content-type "font/ttf" --if-unmodified-since "1970-01-01T00:00:00Z" --no-progress || true | ||
| az storage blob update-batch --account-name ${{ secrets.STORAGE_ACCOUNT_NAME }} --account-key ${{ secrets.STORAGE_ACCOUNT_KEY }} --source '$web' --pattern "*.otf" --content-type "font/otf" --if-unmodified-since "1970-01-01T00:00:00Z" --no-progress || true | ||
| echo "All MIME types set successfully!" | ||
| - name: Purge CDN endpoint (if configured) | ||
| run: | | ||
| if [[ -n "${{ secrets.CDN_ENDPOINT_NAME }}" ]] && [[ -n "${{ secrets.CDN_PROFILE_NAME }}" ]] && [[ -n "${{ secrets.CDN_RESOURCE_GROUP }}" ]]; then | ||
| echo "Note: CDN purge requires Azure login. Skipping CDN purge when using storage key authentication." | ||
| echo "To use CDN purge, you'll need to use Azure AD authentication or purge CDN manually." | ||
| else | ||
| echo "CDN configuration not found, skipping CDN purge." | ||
| fi | ||
| - name: Display deployment URL | ||
| run: | | ||
| echo "🚀 Deployment complete!" | ||
| echo "Environment: ${{ needs.determine-environment.outputs.environment }}" | ||
| echo "URL: https://${{ secrets.STORAGE_ACCOUNT_NAME }}.z13.web.core.windows.net" | ||
| if [[ -n "${{ secrets.CUSTOM_DOMAIN }}" ]]; then | ||
| echo "Custom Domain: ${{ secrets.CUSTOM_DOMAIN }}" | ||
| fi |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
General Fix:
Explicitly add a permissions: block to the top-level workflow or to the deploy job specification. The block should be as restrictive as possible, granting only the permissions required for the job (ideally, contents: read as a minimum starting point unless more are needed—none of the workflow’s steps in deploy appear to require even contents: read, so we could safely set it to none).
Best Single Fix:
Add a permissions: contents: read (or, more restrictively, permissions: none) block to the deploy job, just below runs-on: ubuntu-latest and above steps: (i.e. below line 101 and above line 105). This confines the GITHUB_TOKEN scope for this job, aligning it with least-privilege security best practices.
Exact Lines to Change:
Edit .github/workflows/build-and-deploy.yml:
Add the following after line 101 (or after line 104 if we want it at the same level as steps):
permissions:
contents: readAlternatively, use permissions: {} or permissions: none if no permissions are needed (since the job only uses externally provided secrets and not the GITHUB_TOKEN).
Suggested changeset
1
.github/workflows/build-and-deploy.yml
| @@ -101,6 +101,8 @@ | ||
| runs-on: ubuntu-latest | ||
| needs: [build, determine-environment] | ||
| environment: ${{ needs.determine-environment.outputs.environment }} | ||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: Download build artifact |
Copilot is powered by AI and may make mistakes. Always verify output.
bturlea
reviewed
Aug 28, 2025
There was a problem hiding this comment.
Is this change intended on the build and deploy workflow?
Curious where this change is coming from or whether automatic?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Jm test1 - Is dev any different?