feat: create auco cli (SS2-127)#70
Conversation
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
metalboyrick
left a comment
metalboyrick
left a comment
There was a problem hiding this comment.
We might need to refactor the repository into a monorepo. The reason is that it would be easier later to handle the publishing CI and Logic.
don't have to use turbo or llerna, just use the built in multi-package feature in package.json
|
also don't forget to update docs here: https://github.com/Scaffold-Stark/auco-docs |
|
Moved to #71 |
feat: restructure to monorepo (SS2-127)
feat: reset dev mode (SS2-128)
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if: github.event.pull_request.merged == true | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| SHOULD_RUN: ${{ steps.check_commit.outputs.SHOULD_RUN }} | ||
| steps: | ||
| - name: Checkout Files | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| token: ${{ secrets.ORG_GITHUB_TOKEN }} | ||
| fetch-depth: 0 # Need full git history for logs | ||
|
|
||
| - name: check if skip ci | ||
| id: check_commit | ||
| run: | | ||
| COMMIT_MESSAGE=$(git log -1 --pretty=%B) | ||
| if [[ "$COMMIT_MESSAGE" == *"[skip ci]"* ]]; then | ||
| echo "SHOULD_RUN=false" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "SHOULD_RUN=true" >> "$GITHUB_OUTPUT" | ||
| fi | ||
|
|
||
| version-bump-create-auco: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
In general, the fix is to add an explicit permissions block to the workflow (or individual jobs) describing the minimal scopes the workflow needs. This ensures the GITHUB_TOKEN is not over‑privileged even if repo/org defaults are broad, and documents the workflow’s needs.
For this workflow:
- It checks out code and reads commit messages in
check_commit→ needs onlycontents: read. - It checks out code, bumps npm version, and pushes commits/tags to
maininversion-bump-create-auco→ needscontents: write. - It doesn’t use Actions APIs, issues, pull requests, or other GitHub features directly; Slack and npm use their own secrets, not
GITHUB_TOKEN.
The simplest, least‑privilege change without altering functionality is:
- Add a root‑level
permissions: contents: readso that all jobs default to read‑only. - Override this for the
version-bump-create-aucojob withpermissions: contents: write.
Concretely:
- Edit
.github/workflows/release-create-auco.yaml. - Insert a root
permissions:block after theon:section (e.g., after line 6). - Add a
permissions:block under theversion-bump-create-aucojob definition (after itsruns-online).
No additional imports or external dependencies are needed.
| @@ -5,6 +5,9 @@ | ||
| types: [closed] | ||
| branches: [main] | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| check_commit: | ||
| if: github.event.pull_request.merged == true | ||
| @@ -32,6 +35,8 @@ | ||
| needs: check_commit | ||
| if: ${{ needs.check_commit.outputs.SHOULD_RUN != 'false' }} | ||
| runs-on: ubuntu-22.04 | ||
| permissions: | ||
| contents: write | ||
| defaults: | ||
| run: | ||
| working-directory: packages/create-auco |
| needs: check_commit | ||
| if: ${{ needs.check_commit.outputs.SHOULD_RUN != 'false' }} | ||
| runs-on: ubuntu-22.04 | ||
| defaults: | ||
| run: | ||
| working-directory: packages/create-auco | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| token: ${{ secrets.ORG_GITHUB_TOKEN }} | ||
| fetch-depth: 0 # Need full git history for version bumping | ||
|
|
||
| - name: Determine version bump type | ||
| id: version | ||
| run: | | ||
| commit_message=$(git log -1 --pretty=%B) | ||
| if [[ "$commit_message" == *"[major]"* ]]; then | ||
| echo "type=major" >> "$GITHUB_ENV" | ||
| elif [[ "$commit_message" == *"[minor]"* ]]; then | ||
| echo "type=minor" >> "$GITHUB_ENV" | ||
| elif [[ "$commit_message" == *"[prerelease]"* ]]; then | ||
| echo "type=prerelease --preid=rc" >> "$GITHUB_ENV" | ||
| else | ||
| echo "type=patch" >> "$GITHUB_ENV" | ||
| fi | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20' | ||
| registry-url: 'https://registry.npmjs.org/' | ||
|
|
||
| - name: Install dependencies | ||
| working-directory: . | ||
| run: npm install | ||
|
|
||
| - name: Bump version and commit (create-auco) | ||
| run: | | ||
| # Ensure we are on main and up to date | ||
| git reset --hard HEAD | ||
| git pull origin main --no-rebase --strategy=ort --no-edit | ||
|
|
||
| # Configure git user | ||
| git config --global user.name 'github-actions[bot]' | ||
| git config --global user.email 'github-actions[bot]@users.noreply.github.com' | ||
|
|
||
| # Bump version for create-auco package | ||
| new_version=$(npm version ${{ env.type }} -m "chore(release:create-auco): %s [skip ci]") | ||
| echo "NEW_VERSION=${new_version}" >> "$GITHUB_ENV" | ||
|
|
||
| # Push the version bump commit and tag | ||
| git push origin main --follow-tags | ||
|
|
||
| - name: Build create-auco | ||
| run: npm run build | ||
|
|
||
| - name: Publish create-auco to NPM | ||
| run: npm publish | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
|
|
||
| - name: Notify Slack on Success | ||
| if: success() | ||
| uses: slackapi/slack-github-action@v1.26.0 | ||
| with: | ||
| channel-id: ${{ secrets.SLACK_CHANNEL_ID }} | ||
| slack-message: '✅ Version bump & publish successful for create-auco: ${{ env.NEW_VERSION }}' | ||
| env: | ||
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | ||
|
|
||
| - name: Notify Slack on Failure | ||
| if: failure() | ||
| uses: slackapi/slack-github-action@v1.26.0 | ||
| with: | ||
| channel-id: ${{ secrets.SLACK_CHANNEL_ID }} | ||
| slack-message: '❌ Version bump or publish failed for create-auco on main: ${{ github.ref_name }}' | ||
| env: | ||
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
In general, the fix is to add an explicit permissions block either at the workflow root (to apply to all jobs) or within each job, granting only what that job needs. Here, the check_commit job only reads commit messages, so it can use contents: read. The version-bump-create-auco job performs repository writes (commits/tags and pushes) and therefore needs contents: write. No other GitHub-specific scopes (issues, pull-requests, etc.) are used, so they can be omitted.
The single best fix without changing behavior is to add a workflow-level permissions block that sets a safe default of contents: read, and then override it for the version-bump-create-auco job with permissions: contents: write. This clearly documents that only the version bump job can write to the repo, while all jobs retain the ability to read contents. Concretely:
- In
.github/workflows/release-create-auco.yaml, add:
permissions:
contents: readright after the on: block (around line 7–8).
- In the
version-bump-create-aucojob definition (around line 31–34), add:
permissions:
contents: writebetween runs-on: ubuntu-22.04 and defaults:.
No imports or external libraries are needed; this is purely a YAML configuration change in the workflow file.
| @@ -5,6 +5,9 @@ | ||
| types: [closed] | ||
| branches: [main] | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| check_commit: | ||
| if: github.event.pull_request.merged == true | ||
| @@ -32,6 +35,8 @@ | ||
| needs: check_commit | ||
| if: ${{ needs.check_commit.outputs.SHOULD_RUN != 'false' }} | ||
| runs-on: ubuntu-22.04 | ||
| permissions: | ||
| contents: write | ||
| defaults: | ||
| run: | ||
| working-directory: packages/create-auco |
3 participants
No description provided.