Reference implmentation #20
Conversation
…in entry in package.json
…d add-insights - Create flaky.test.ts with 6 new tests (100% coverage) - Add type filtering tests to filter.test.ts (improve to 91.66% statements, 100% functions) - Add file not found and invalid JSON tests to validate.test.ts (improve branch coverage) - Add edge case tests to add-insights.test.ts for error handling Total tests increased from 57 to 70 (13 new tests) Overall statement coverage improved from 51.99% to 61.73% Function coverage improved from 69.23% to 84.61%
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: "20.19.0" | ||
| cache: "npm" | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Type check | ||
| run: npx tsc --noEmit | ||
|
|
||
| - name: Run linter | ||
| run: npm run lint:check | ||
|
|
||
| - name: Check formatting | ||
| run: npm run format:check | ||
|
|
||
| security: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
To fix this, explicitly define a permissions block so that the GITHUB_TOKEN used by jobs has only the minimal required scopes. The lint and security jobs only read the code and run local commands, so contents: read is sufficient. The test job uses ctrf-io/github-test-reporter@v1 with github-report: true and similar options; such reporting actions typically need to read PRs and statuses and may need to write a PR comment or summary. A conservative and still least-privilege choice is to give that job contents: read and pull-requests: write (enough to post PR comments) while keeping other scopes absent.
The single best way with minimal functional change is:
- Add a top-level
permissions: contents: readso that all jobs default to read-only repository access. - Override for the
testjob with a job-levelpermissionsblock that grantscontents: readandpull-requests: write. This keepslintandsecurityas read-only, and givestestexactly what it likely needs for GitHub reporting.
All changes are confined to .github/workflows/main.yaml by inserting the new permissions blocks without altering any existing steps.
| @@ -4,8 +4,14 @@ | ||
| push: | ||
| pull_request: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| test: | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| runs-on: ubuntu-latest | ||
|
|
||
| strategy: |
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Install dependencies | ||
| run: npm install | ||
| - name: Build | ||
| run: npx tsc | ||
| - name: Merge | ||
| run: npx ctrf-cli merge test-reports | ||
| - name: Flaky | ||
| run: npx ctrf-cli flaky test-reports/ctrf-report-one.json | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: "20.19.0" | ||
| cache: "npm" | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Run security audit | ||
| run: npm audit --audit-level=moderate | ||
|
|
||
| - name: Check for known vulnerabilities | ||
| run: npx audit-ci --moderate | ||
|
|
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
In general, the fix is to explicitly declare a permissions block for the workflow or each job so that the GITHUB_TOKEN has only the minimal capabilities required. Since all jobs in this workflow only need to read repository contents and use Actions, we can safely set permissions: contents: read at the workflow root, which will apply to all jobs. If at some point a job needs additional scopes (for example, checks: write or pull-requests: write), it can override or extend permissions at the job level.
The best minimal change here is to add a workflow‑level permissions block directly under the name: Build and Test line in .github/workflows/main.yaml. Based on the current steps, contents: read is sufficient: all interactions with GitHub (checkout, reading code, reading existing artifacts) only require read access; the third‑party reporter action typically only needs to post check results or summaries via the provided token, which many implementations can do with contents: read plus the default checks/reporting behavior granted by GitHub when contents: read is set (if a future failure indicates it needs e.g. checks: write, that can be added then). No additional imports or methods are required, just the YAML change.
Concretely:
- Edit
.github/workflows/main.yaml. - Insert a
permissions:block after line 1 (name: Build and Test) withcontents: read. - Leave the rest of the workflow unchanged.
| @@ -1,4 +1,6 @@ | ||
| name: Build and Test | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
| import fs from 'fs' | ||
| import path from 'path' | ||
| import os from 'os' | ||
| import { ReportBuilder, TestBuilder, addInsights, stringify, parse } from 'ctrf' |
| import { | ||
| ReportBuilder, | ||
| TestBuilder, | ||
| filterTests, | ||
| isCTRFReport, | ||
| stringify, | ||
| parse, | ||
| } from 'ctrf' |
| import { | ||
| ReportBuilder, | ||
| TestBuilder, | ||
| generateReportId, | ||
| stringify, | ||
| parse, | ||
| } from 'ctrf' |
| import { | ||
| ReportBuilder, | ||
| TestBuilder, | ||
| generateTestId, | ||
| stringify, | ||
| parse, | ||
| } from 'ctrf' |
| import { | ||
| ReportBuilder, | ||
| TestBuilder, | ||
| validate, | ||
| isCTRFReport, | ||
| stringify, | ||
| parse, | ||
| } from 'ctrf' |
No description provided.