Release/v4.0.0 #1
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| - name: Setup .NET | ||
| uses: actions/setup-dotnet@v3 | ||
| with: | ||
| dotnet-version: 9.0.x | ||
| - name: Restore dependencies | ||
| run: dotnet restore | ||
| - name: Build | ||
| run: dotnet build --no-restore | ||
| - name: Test | ||
| run: dotnet test --no-build --verbosity normal | ||
|
|
||
| run-Lint: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
To fix the issue, we will add a permissions block at the root level of the workflow to apply to all jobs. Since the workflow only performs read operations (e.g., checking out code, restoring dependencies, building, testing, and linting), we will set contents: read as the minimal required permission. This ensures that the GITHUB_TOKEN is restricted to read-only access to the repository contents.
| @@ -4,2 +4,4 @@ | ||
| name: master-build | ||
| permissions: | ||
| contents: read | ||
|
|
| runs-on: ubuntu-latest | ||
| env: | ||
| github-token: '${{ secrets.GITHUB_TOKEN }}' | ||
| steps: | ||
| - name: Step-01 Checkout code | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Step-02 Lint Code Base | ||
| uses: github/super-linter@v4 | ||
| env: | ||
| VALIDATE_ALL_CODEBASE: false | ||
| FILTER_REGEX_INCLUDE: .*src/.* | ||
| DEFAULT_BRANCH: master | ||
| GITHUB_TOKEN: '${{ env.github-token }}' |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
To fix the issue, we will add a permissions block to the workflow. Since the workflow only needs to read repository contents and does not perform any write operations, we will set contents: read at the workflow level. This will apply the minimal required permissions to all jobs in the workflow unless overridden by job-specific permissions blocks.
| @@ -4,2 +4,4 @@ | ||
| name: master-build | ||
| permissions: | ||
| contents: read | ||
|
|
| runs-on: ubuntu-latest | ||
| env: | ||
| github-token: '${{ secrets.GH_Packages }}' | ||
| steps: | ||
| - name: Step-01 Checkout code | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Step-02 Lint Code Base | ||
| uses: github/super-linter@v4 | ||
| env: | ||
| VALIDATE_ALL_CODEBASE: false | ||
| FILTER_REGEX_INCLUDE: .*src/.* | ||
| DEFAULT_BRANCH: master | ||
| GITHUB_TOKEN: '${{ env.github-token }}' | ||
| Build-Test: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
To fix the issue, we will add a permissions block at the root level of the workflow to define the minimum required permissions for all jobs. Additionally, we will add job-specific permissions blocks where necessary to grant additional permissions for specific tasks. Based on the workflow's steps:
- The
Run-Lintjob only requirescontents: readto check out the code and lint it. - The
Build-Testjob also only requirescontents: readfor building and testing the code. - The
Packagejob requirescontents: readandpackages: writeto publish packages to GitHub Packages.
| @@ -1,2 +1,4 @@ | ||
| name: PR-CI | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| @@ -11,2 +13,4 @@ | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| env: | ||
| @@ -27,2 +31,4 @@ | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| @@ -84,2 +90,5 @@ | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| outputs: |
.github/workflows/PR-CI.yml
Outdated
| runs-on: ubuntu-latest | ||
| outputs: | ||
| release_Version: ${{ steps.gitversion.outputs.MajorMinorPatch }} | ||
| beta_Version: ${{ steps.gitversion.outputs.nuGetVersion }} | ||
| branchName: ${{ steps.gitversion.outputs.branchName }} | ||
| env: | ||
| working-directory: /home/runner/work/Secure.SAML/Secure.SAML | ||
|
|
||
| steps: | ||
| - name: Step-01 Install GitVersion | ||
| uses: gittools/actions/gitversion/setup@v0.9.7 | ||
| with: | ||
| versionSpec: 5.x | ||
|
|
||
| - name: Step-02 Check out Code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Step-03 Calculate Version | ||
| id: gitversion | ||
| uses: gittools/actions/gitversion/execute@v0.9.7 | ||
| with: | ||
| useConfigFile: true | ||
|
|
||
| - name: Step-04 Install .NET | ||
| uses: actions/setup-dotnet@v3 | ||
| with: | ||
| dotnet-version: 9.0.x | ||
|
|
||
| - name: Step-05 Restore dependencies | ||
| run: dotnet restore | ||
| working-directory: '${{ env.working-directory }}' | ||
|
|
||
| - name: Step-06 Build Version (Beta) | ||
| if: ${{ !startsWith(github.head_ref, 'release/')}} | ||
| run: dotnet build --configuration Release --no-restore -p:PackageVersion=${{ steps.gitversion.outputs.nuGetVersion }} | ||
| working-directory: '${{ env.working-directory }}' | ||
|
|
||
| - name: Step-06 Build Version (Release) | ||
| if: ${{ startsWith(github.head_ref, 'release/')}} | ||
| run: dotnet build --configuration Release --no-restore -p:PackageVersion=${{ steps.gitversion.outputs.MajorMinorPatch }} | ||
| working-directory: '${{ env.working-directory }}' | ||
|
|
||
| - name: Step-07 Test Solution | ||
| run: dotnet test --configuration Release --no-build --no-restore --verbosity normal | ||
| working-directory: '${{ env.working-directory }}' | ||
|
|
||
| - name: Step-08 Upload Build Artifacts | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: build-artifact | ||
| path: ${{env.working-directory}} | ||
| retention-days: 1 | ||
|
|
||
| Package: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
To fix the issue, we will add a permissions block at the root level of the workflow file. This block will define the minimum required permissions for the workflow. Based on the actions performed in the workflow, such as checking out code, running tests, and uploading artifacts, the contents: read permission is sufficient. If any job requires additional permissions, they can be defined specifically for that job.
| @@ -1,2 +1,4 @@ | ||
| name: PR-CI | ||
| permissions: | ||
| contents: read | ||
| on: |
.github/workflows/PR-CI.yml
Outdated
| needs: [Build-Test] | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| semVersion: ${{ needs.Build-Release.outputs.semVersion }} | ||
| env: | ||
| github-token: '${{ secrets.GH_Packages }}' | ||
| nuget-token: '${{ secrets.NUGET_API_KEY }}' | ||
| working-directory: /home/runner/work/Secure.SAML/Secure.SAML | ||
| steps: | ||
| - name: Step-01 Retrieve Build Artifacts | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: build-artifact | ||
| path: ${{env.working-directory}} | ||
|
|
||
| - name: Step-02 Install Github Packages | ||
| run: dotnet tool install gpr --global | ||
|
|
||
| - name: Step-03 Publish to Github Packages | ||
| run: find -name "*.nupkg" -print -exec gpr push -k ${{env.github-token}} {} \; | ||
|
|
||
| Release: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
To fix the issue, we will add a permissions block at the root level of the workflow to define the minimal permissions required for all jobs. Additionally, we will add job-specific permissions blocks where elevated permissions are necessary. For example:
- The
Run-Lintjob only needscontents: readto check out the code and lint it. - The
Build-Testjob requirescontents: readfor code checkout andpackages: readfor accessing packages. - The
PackageandReleasejobs requirecontents: readandpackages: writeto publish packages.
This approach ensures that each job has the least privileges necessary to perform its tasks.
| @@ -1,2 +1,4 @@ | ||
| name: PR-CI | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| @@ -10,2 +12,4 @@ | ||
| Run-Lint: | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
| @@ -26,2 +30,5 @@ | ||
| Build-Test: | ||
| permissions: | ||
| contents: read | ||
| packages: read | ||
| runs-on: ubuntu-latest | ||
| @@ -82,2 +89,5 @@ | ||
| Package: | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| needs: [Build-Test] | ||
| @@ -104,2 +114,5 @@ | ||
| Release: | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| name: Release to Nuget |
NinjaRocks
force-pushed
the
release/v4.0.0
branch
from
65fd4f8 to
79098f2
Compare
| name: Release to Nuget | ||
| needs: [Package] | ||
| if: ${{ startsWith(github.head_ref, 'release/')}} | ||
| runs-on: ubuntu-latest | ||
| env: | ||
| nuget-token: '${{ secrets.NUGET_API_KEY }}' | ||
| working-directory: /home/runner/work/Secure.SAML2/Secure.SAML2 | ||
| steps: | ||
| - name: Step-01 Retrieve Build Artifacts | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: build-artifact | ||
| path: ${{env.working-directory}} | ||
| - name: Step-03 Release to Nuget Org | ||
| if: ${{ startsWith(github.head_ref, 'release/')}} | ||
| run: dotnet nuget push ${{env.working-directory}}/src/Secure.SAML2/bin/Release/*.nupkg --skip-duplicate --api-key ${{ env.nuget-token }} --source https://api.nuget.org/v3/index.json |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
To fix the issue, we will add a permissions block to the Release job to explicitly define the minimal permissions required. Based on the job's functionality, it only needs contents: read to retrieve build artifacts and packages: write to push packages to NuGet. This ensures that the GITHUB_TOKEN is restricted to the least privileges necessary for the job.
The permissions block will be added to the Release job definition, and no other changes are required to the workflow.
| @@ -108,2 +108,5 @@ | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| env: |
No description provided.