Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if: github.event_name == 'pull_request' && github.event.action == 'closed' | ||
| runs-on: ubuntu-latest | ||
| name: Close Pull Request Job | ||
| steps: | ||
| - name: Close Pull Request | ||
| id: closepullrequest | ||
| uses: Azure/static-web-apps-deploy@v1 | ||
| with: | ||
| action: "close" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the issue, we should add an explicit permissions block to the close_pull_request_job. According to least-privilege principles, we should start with the base: {} (no permissions), unless the job requires explicit access to particular scopes. Reviewing the job, it only uses Azure/static-web-apps-deploy@v1, and does not check out or edit code nor interact with issues or PRs. Therefore, setting permissions: {} at the job level is appropriate and safe.
This change goes in .github/workflows/publish-asset-store.yml, immediately after runs-on: ubuntu-latest (line 57) under close_pull_request_job.
| @@ -55,6 +55,7 @@ | ||
| close_pull_request_job: | ||
| if: github.event_name == 'pull_request' && github.event.action == 'closed' | ||
| runs-on: ubuntu-latest | ||
| permissions: {} | ||
| name: Close Pull Request Job | ||
| steps: | ||
| - name: Close Pull Request |
| if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed') | ||
| runs-on: ubuntu-latest | ||
| name: Build and Deploy Job | ||
| steps: | ||
| - name: Echo message | ||
| run: echo "Hello from the test branch 👋" | ||
| - uses: actions/checkout@v3 | ||
| with: | ||
| submodules: true | ||
| lfs: false | ||
| - name: Build And Deploy | ||
| id: builddeploy | ||
| uses: Azure/static-web-apps-deploy@v1 | ||
| with: | ||
| azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_KIND_MEADOW_06167BF03 }} | ||
| repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments) | ||
| action: "upload" | ||
| ###### Repository/Build Configurations - These values can be configured to match your app requirements. ###### | ||
| # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig | ||
| app_location: "./Portal/sharpengine-web-ui" # App source code path | ||
| # api_location: "" # Api source code path - optional | ||
| output_location: "build" # Built app content directory - optional | ||
| app_build_command: "CI=false npm run build" | ||
| ###### End of Repository/Build Configurations ###### | ||
|
|
||
| close_pull_request_job: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix this, explicitly limit the permissions used by this workflow by adding a permissions key at the top (workflow-global), or for each job as needed. Since the deployment action uses GITHUB_TOKEN for GitHub integrations (like PR comments), you should review if write access to pull-requests or other scopes is needed. The minimal starting point is contents: read. If only read access is needed to pull the repository, set permissions: contents: read at the workflow root (before jobs:), which will apply to all jobs. If any jobs need more, explicitly increase only their permissions at the job level.
Recommended fix:
- At the top level of the workflow file (.github/workflows/publish-web.yml), add:
permissions: contents: read
- If PR comment writing is needed, add
pull-requests: writeas well:permissions: contents: read pull-requests: write
Place this block after the name: and before the on: key.
| @@ -1,5 +1,8 @@ | ||
| name: Publish SharpEngine Web Portal | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: |
| if: github.event_name == 'pull_request' && github.event.action == 'closed' | ||
| runs-on: ubuntu-latest | ||
| name: Close Pull Request Job | ||
| steps: | ||
| - name: Close Pull Request | ||
| id: closepullrequest | ||
| uses: Azure/static-web-apps-deploy@v1 | ||
| with: | ||
| azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_KIND_MEADOW_06167BF03 }} | ||
| action: "close" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
-
General fix: Add an explicit
permissionsblock to limit the permissions of theGITHUB_TOKENto the least privilege required by the workflow. -
Detailed fix: Add a
permissionsblock at the root of the workflow YAML (just after thenameand beforeon:), so all jobs inherit it. Since the workflow only needs to read the code and comment on PRs, setcontents: readandpull-requests: write. -
Where/what to change:
-
Edit
.github/workflows/publish-web.yml -
Insert the following block after line 1 (
name: Publish SharpEngine Web Portal):permissions: contents: read pull-requests: write
-
-
What's needed: No imports or code changes are required, just a change in the YAML configuration.
| @@ -1,4 +1,7 @@ | ||
| name: Publish SharpEngine Web Portal | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
|
|
||
| on: | ||
| push: |
|
There was a problem hiding this comment.
Pull request overview
This PR consolidates and updates GitHub Actions workflows for deploying Azure Static Web Apps. It replaces placeholder/test workflows with production-ready configurations for deploying both the SharpEngine Web Portal and Asset Store. The changes migrate content from Azure-generated workflow files into more appropriately named publish workflows.
Key Changes:
- Replaces test workflows with production Azure Static Web Apps deployment configurations
- Consolidates two Azure-generated workflow files into the main publish workflows
- Adds proper build configurations including OIDC token handling for the Asset Store
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 10 comments.
| File | Description |
|---|---|
.github/workflows/publish-web.yml |
Updated from test workflow to production deployment for SharpEngine Web Portal with Azure Static Web Apps |
.github/workflows/publish-asset-store.yml |
Updated from test workflow to production deployment for Asset Store with OIDC authentication |
.github/workflows/azure-static-web-apps-white-sky-0acd4ad03.yml |
Deleted - content migrated to publish-asset-store.yml |
.github/workflows/azure-static-web-apps-kind-meadow-06167bf03.yml |
Deleted - content migrated to publish-web.yml |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| id: closepullrequest | ||
| uses: Azure/static-web-apps-deploy@v1 | ||
| with: | ||
| azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_KIND_MEADOW_06167BF03 }} |
There was a problem hiding this comment.
The publish-web.yml workflow is missing the 'repo_token' parameter in the close_pull_request_job, while it's used in the build_and_deploy_job. For consistency with the deployment job and to enable GitHub integrations (like PR comments) during cleanup, consider adding 'repo_token: ${{ secrets.GITHUB_TOKEN }}' to this step.
| azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_KIND_MEADOW_06167BF03 }} | |
| azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_KIND_MEADOW_06167BF03 }} | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments) |
| branches: | ||
| - test | ||
| - main | ||
| - feature/52-av-web |
There was a problem hiding this comment.
The feature branch 'feature/52-av-web' should not be hardcoded in the workflow triggers. Once this feature is merged to main, this workflow will continue to trigger on pushes to this feature branch. Consider removing the feature branch reference and only keeping 'main' in the branches list.
| branches: | ||
| - test | ||
| - main | ||
| - feature/52-av-web |
There was a problem hiding this comment.
The feature branch 'feature/52-av-web' should not be hardcoded in the workflow triggers. Once this feature is merged to main, this workflow will continue to trigger on pushes to this feature branch. Consider removing the feature branch reference and only keeping 'main' in the branches list.
| branches: | ||
| - test | ||
| - main | ||
| - feature/52-av-web |
There was a problem hiding this comment.
The feature branch 'feature/52-av-web' should not be hardcoded in the workflow triggers. Once this feature is merged to main, this workflow will continue to trigger on pull requests to this feature branch. Consider removing the feature branch reference and only keeping 'main' in the branches list.
| app_location: "./Portal/sharpengine-web-ui" # App source code path | ||
| # api_location: "" # Api source code path - optional | ||
| output_location: "build" # Built app content directory - optional | ||
| app_build_command: "CI=false npm run build" |
There was a problem hiding this comment.
Setting 'CI=false' in the build command disables treating warnings as errors, which can hide potential issues in the build process. This is generally not recommended for production builds. Consider addressing the warnings instead of suppressing them, or only use this setting if there's a specific reason documented in the codebase.
| app_build_command: "CI=false npm run build" | |
| app_build_command: "npm run build" |
| api_location: "" # Api source code path - optional | ||
| # output_location: "app" # Built app content directory - optional | ||
| github_id_token: ${{ steps.idtoken.outputs.result }} | ||
| app_build_command: "CI=false npm run build" |
There was a problem hiding this comment.
Setting 'CI=false' in the build command disables treating warnings as errors, which can hide potential issues in the build process. This is generally not recommended for production builds. Consider addressing the warnings instead of suppressing them, or only use this setting if there's a specific reason documented in the codebase.
| app_build_command: "CI=false npm run build" | |
| app_build_command: "npm run build" |
| # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig | ||
| app_location: "/AssetStore/asset-store-ui" # App source code path | ||
| api_location: "" # Api source code path - optional | ||
| # output_location: "app" # Built app content directory - optional |
There was a problem hiding this comment.
The output_location is commented out while the build command is configured. If the build process produces output in a specific directory, the output_location should be specified. The commented value 'app' suggests there might be a specific output directory. Verify whether an output_location should be specified for the asset store build, similar to how 'build' is specified for the web portal.
| # output_location: "app" # Built app content directory - optional | |
| output_location: "app" # Built app content directory - optional |
| ###### Repository/Build Configurations - These values can be configured to match your app requirements. ###### | ||
| # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig | ||
| app_location: "/AssetStore/asset-store-ui" # App source code path | ||
| api_location: "" # Api source code path - optional |
There was a problem hiding this comment.
The api_location is set to an empty string, but the publish-web.yml workflow has this line commented out entirely. For consistency and clarity, consider commenting out this line instead of setting it to an empty string, or remove it altogether if no API location is needed.
| api_location: "" # Api source code path - optional | |
| # api_location: "" # Api source code path - optional |
| branches: | ||
| - test | ||
| - main | ||
| - feature/52-av-web |
There was a problem hiding this comment.
The feature branch 'feature/52-av-web' should not be hardcoded in the workflow triggers. Once this feature is merged to main, this workflow will continue to trigger on pull requests to this feature branch. Consider removing the feature branch reference and only keeping 'main' in the branches list.
| - name: Close Pull Request | ||
| id: closepullrequest | ||
| uses: Azure/static-web-apps-deploy@v1 | ||
| with: |
There was a problem hiding this comment.
The close_pull_request_job is missing the required azure_static_web_apps_api_token parameter. The Azure/static-web-apps-deploy action requires this token even for the close action to properly clean up the deployment. Add the azure_static_web_apps_api_token parameter with the same secret used in the build_and_deploy_job.
| with: | |
| with: | |
| azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_WHITE_SKY_0ACD4AD03 }} |
<Issue number> <Change title>
Contents
This PR is trying to resolve:
TBD
We resolve it by:
TBD
Checklist
mainto my branch.