Skip to content

#52 Test yml #121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Av3boy merged 3 commits into from
Dec 13, 2025
Merged

#52 Test yml #121

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ffa2ed9
#52 Temp
Av3boy Dec 13, 2025
9e59de1
Merge branch 'main' into 52-temp
Dec 13, 2025
b1077e2
#52 Test
Dec 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 0 additions & 46 deletions .github/workflows/azure-static-web-apps-kind-meadow-06167bf03.yml
View file
Open in desktop

This file was deleted.

65 changes: 0 additions & 65 deletions .github/workflows/azure-static-web-apps-white-sky-0acd4ad03.yml
View file
Open in desktop

This file was deleted.

61 changes: 55 additions & 6 deletions .github/workflows/publish-asset-store.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,65 @@
name: Publish Asset Store _ Temp
name: Publish Asset Store

on:
push:
branches:
- test
- main
- feature/52-av-web

Copilot AI Dec 13, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The feature branch 'feature/52-av-web' should not be hardcoded in the workflow triggers. Once this feature is merged to main, this workflow will continue to trigger on pushes to this feature branch. Consider removing the feature branch reference and only keeping 'main' in the branches list.

Copilot uses AI. Check for mistakes.
pull_request:
types: [opened, synchronize, reopened, closed]
branches:
- test
- main
- feature/52-av-web

Copilot AI Dec 13, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The feature branch 'feature/52-av-web' should not be hardcoded in the workflow triggers. Once this feature is merged to main, this workflow will continue to trigger on pull requests to this feature branch. Consider removing the feature branch reference and only keeping 'main' in the branches list.

Copilot uses AI. Check for mistakes.

jobs:
echo:
build_and_deploy_job:
if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed')
runs-on: ubuntu-latest
name: Build and Deploy Job
permissions:
id-token: write
contents: read
steps:
- name: Echo message
run: echo "Hello from the test branch 👋"
- uses: actions/checkout@v3
with:
submodules: true
lfs: false

- name: Install OIDC Client from Core Package
run: npm install @actions/core@1.6.0 @actions/http-client

- name: Get Id Token
uses: actions/github-script@v6
id: idtoken
with:
script: |
const coredemo = require('@actions/core')
return await coredemo.getIDToken()
result-encoding: string

- name: Build And Deploy
id: builddeploy
uses: Azure/static-web-apps-deploy@v1
with:
azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_WHITE_SKY_0ACD4AD03 }}
action: "upload"
###### Repository/Build Configurations - These values can be configured to match your app requirements. ######
# For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig
app_location: "/AssetStore/asset-store-ui" # App source code path
api_location: "" # Api source code path - optional

Copilot AI Dec 13, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The api_location is set to an empty string, but the publish-web.yml workflow has this line commented out entirely. For consistency and clarity, consider commenting out this line instead of setting it to an empty string, or remove it altogether if no API location is needed.

Suggested change
api_location: "" # Api source code path - optional
# api_location: "" # Api source code path - optional

Copilot uses AI. Check for mistakes.
# output_location: "app" # Built app content directory - optional

Copilot AI Dec 13, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The output_location is commented out while the build command is configured. If the build process produces output in a specific directory, the output_location should be specified. The commented value 'app' suggests there might be a specific output directory. Verify whether an output_location should be specified for the asset store build, similar to how 'build' is specified for the web portal.

Suggested change
# output_location: "app" # Built app content directory - optional
output_location: "app" # Built app content directory - optional

Copilot uses AI. Check for mistakes.
github_id_token: ${{ steps.idtoken.outputs.result }}
app_build_command: "CI=false npm run build"

Copilot AI Dec 13, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting 'CI=false' in the build command disables treating warnings as errors, which can hide potential issues in the build process. This is generally not recommended for production builds. Consider addressing the warnings instead of suppressing them, or only use this setting if there's a specific reason documented in the codebase.

Suggested change
app_build_command: "CI=false npm run build"
app_build_command: "npm run build"

Copilot uses AI. Check for mistakes.
###### End of Repository/Build Configurations ######

close_pull_request_job:
if: github.event_name == 'pull_request' && github.event.action == 'closed'
runs-on: ubuntu-latest
name: Close Pull Request Job
steps:
- name: Close Pull Request
id: closepullrequest
uses: Azure/static-web-apps-deploy@v1
with:

Copilot AI Dec 13, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The close_pull_request_job is missing the required azure_static_web_apps_api_token parameter. The Azure/static-web-apps-deploy action requires this token even for the close action to properly clean up the deployment. Add the azure_static_web_apps_api_token parameter with the same secret used in the build_and_deploy_job.

Suggested change
with:
with:
azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_WHITE_SKY_0ACD4AD03 }}

Copilot uses AI. Check for mistakes.
action: "close"
Comment on lines +56 to +64

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 6 months ago

To fix the issue, we should add an explicit permissions block to the close_pull_request_job. According to least-privilege principles, we should start with the base: {} (no permissions), unless the job requires explicit access to particular scopes. Reviewing the job, it only uses Azure/static-web-apps-deploy@v1, and does not check out or edit code nor interact with issues or PRs. Therefore, setting permissions: {} at the job level is appropriate and safe.

This change goes in .github/workflows/publish-asset-store.yml, immediately after runs-on: ubuntu-latest (line 57) under close_pull_request_job.

Suggested changeset 1
.github/workflows/publish-asset-store.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/publish-asset-store.yml b/.github/workflows/publish-asset-store.yml
--- a/.github/workflows/publish-asset-store.yml
+++ b/.github/workflows/publish-asset-store.yml
@@ -55,6 +55,7 @@
   close_pull_request_job:
     if: github.event_name == 'pull_request' && github.event.action == 'closed'
     runs-on: ubuntu-latest
+    permissions: {}
     name: Close Pull Request Job
     steps:
       - name: Close Pull Request
EOF
@@ -55,6 +55,7 @@
close_pull_request_job:
if: github.event_name == 'pull_request' && github.event.action == 'closed'
runs-on: ubuntu-latest
permissions: {}
name: Close Pull Request Job
steps:
- name: Close Pull Request
Copilot is powered by AI and may make mistakes. Always verify output.

45 changes: 39 additions & 6 deletions .github/workflows/publish-web.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,49 @@
name: Publish Web
name: Publish SharpEngine Web Portal

on:
push:
branches:
- test
- main
- feature/52-av-web

Copilot AI Dec 13, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The feature branch 'feature/52-av-web' should not be hardcoded in the workflow triggers. Once this feature is merged to main, this workflow will continue to trigger on pushes to this feature branch. Consider removing the feature branch reference and only keeping 'main' in the branches list.

Copilot uses AI. Check for mistakes.
pull_request:
types: [opened, synchronize, reopened, closed]
branches:
- test
- main
- feature/52-av-web

Copilot AI Dec 13, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The feature branch 'feature/52-av-web' should not be hardcoded in the workflow triggers. Once this feature is merged to main, this workflow will continue to trigger on pull requests to this feature branch. Consider removing the feature branch reference and only keeping 'main' in the branches list.

Copilot uses AI. Check for mistakes.

jobs:
echo:
build_and_deploy_job:
if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed')
runs-on: ubuntu-latest
name: Build and Deploy Job
steps:
- name: Echo message
run: echo "Hello from the test branch 👋"
- uses: actions/checkout@v3
with:
submodules: true
lfs: false
- name: Build And Deploy
id: builddeploy
uses: Azure/static-web-apps-deploy@v1
with:
azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_KIND_MEADOW_06167BF03 }}
repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments)
action: "upload"
###### Repository/Build Configurations - These values can be configured to match your app requirements. ######
# For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig
app_location: "./Portal/sharpengine-web-ui" # App source code path
# api_location: "" # Api source code path - optional
output_location: "build" # Built app content directory - optional
app_build_command: "CI=false npm run build"

Copilot AI Dec 13, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting 'CI=false' in the build command disables treating warnings as errors, which can hide potential issues in the build process. This is generally not recommended for production builds. Consider addressing the warnings instead of suppressing them, or only use this setting if there's a specific reason documented in the codebase.

Suggested change
app_build_command: "CI=false npm run build"
app_build_command: "npm run build"

Copilot uses AI. Check for mistakes.
###### End of Repository/Build Configurations ######

close_pull_request_job:
Comment on lines +16 to +39

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix this, explicitly limit the permissions used by this workflow by adding a permissions key at the top (workflow-global), or for each job as needed. Since the deployment action uses GITHUB_TOKEN for GitHub integrations (like PR comments), you should review if write access to pull-requests or other scopes is needed. The minimal starting point is contents: read. If only read access is needed to pull the repository, set permissions: contents: read at the workflow root (before jobs:), which will apply to all jobs. If any jobs need more, explicitly increase only their permissions at the job level.

Recommended fix:

  • At the top level of the workflow file (.github/workflows/publish-web.yml), add: 
    permissions:
  contents: read
  • If PR comment writing is needed, add pull-requests: write as well: 
    permissions:
  contents: read
  pull-requests: write

Place this block after the name: and before the on: key.

Suggested changeset 1
.github/workflows/publish-web.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/publish-web.yml b/.github/workflows/publish-web.yml
--- a/.github/workflows/publish-web.yml
+++ b/.github/workflows/publish-web.yml
@@ -1,5 +1,8 @@
 name: Publish SharpEngine Web Portal
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
EOF
@@ -1,5 +1,8 @@
name: Publish SharpEngine Web Portal

permissions:
contents: read

on:
push:
branches:
Copilot is powered by AI and may make mistakes. Always verify output.
if: github.event_name == 'pull_request' && github.event.action == 'closed'
runs-on: ubuntu-latest
name: Close Pull Request Job
steps:
- name: Close Pull Request
id: closepullrequest
uses: Azure/static-web-apps-deploy@v1
with:
azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_KIND_MEADOW_06167BF03 }}

Copilot AI Dec 13, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The publish-web.yml workflow is missing the 'repo_token' parameter in the close_pull_request_job, while it's used in the build_and_deploy_job. For consistency with the deployment job and to enable GitHub integrations (like PR comments) during cleanup, consider adding 'repo_token: ${{ secrets.GITHUB_TOKEN }}' to this step.

Suggested change
azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_KIND_MEADOW_06167BF03 }}
azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_KIND_MEADOW_06167BF03 }}
repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments)

Copilot uses AI. Check for mistakes.
action: "close"
Comment on lines +40 to +49

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 6 months ago

  • General fix: Add an explicit permissions block to limit the permissions of the GITHUB_TOKEN to the least privilege required by the workflow.

  • Detailed fix: Add a permissions block at the root of the workflow YAML (just after the name and before on:), so all jobs inherit it. Since the workflow only needs to read the code and comment on PRs, set contents: read and pull-requests: write.

  • Where/what to change:

    • Edit .github/workflows/publish-web.yml

    • Insert the following block after line 1 (name: Publish SharpEngine Web Portal):

      permissions:
  contents: read
  pull-requests: write

  • What's needed: No imports or code changes are required, just a change in the YAML configuration.

Suggested changeset 1
.github/workflows/publish-web.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/publish-web.yml b/.github/workflows/publish-web.yml
--- a/.github/workflows/publish-web.yml
+++ b/.github/workflows/publish-web.yml
@@ -1,4 +1,7 @@
 name: Publish SharpEngine Web Portal
+permissions:
+  contents: read
+  pull-requests: write
 
 on:
   push:
EOF
@@ -1,4 +1,7 @@
name: Publish SharpEngine Web Portal
permissions:
contents: read
pull-requests: write

on:
push:
Copilot is powered by AI and may make mistakes. Always verify output.