Skip to content

chore: use a single deploy workflow template #618

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lionello merged 5 commits into from
Feb 3, 2026
Merged

chore: use a single deploy workflow template #618

lionello merged 5 commits into from
Feb 3, 2026
+848 −1,736

Conversation

@lionello
Copy link
Member

@lionello lionello commented Feb 3, 2026
edited
Loading

This creates a single deploy.yaml for all samples, so we don't need to maintain 80 copies of the same file.

@lionello lionello had a problem deploying to deploy-changed-samples February 3, 2026 05:02 — with GitHub Actions Failure
@lionello lionello requested a review from raphaeltm February 3, 2026 05:03
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 3, 2026
View reviewed changes
.github/workflows/test-scripts.yml
Comment on lines +19 to +37
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: "20"

- name: Install dependencies
run: npm install
working-directory: scripts

- name: Run tests
run: npm test
working-directory: scripts

preview-workflows:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium test

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 17 minutes ago

In general, the fix is to explicitly set a minimal permissions block for the workflow or for individual jobs, so that the GITHUB_TOKEN has only the scopes required. Here, both jobs only need to read repository contents (for checkout and script execution) and to read basic PR metadata (already available with contents: read), with no visible need for write access. The best fix is to add a root‑level permissions block (applies to all jobs) directly under the name: or on: section with contents: read. If in your environment the template-manager.js ever needs to write to PRs or issues, you could later extend this explicitly (e.g., pull-requests: write), but that is not evident from the provided snippet.

Concretely, in .github/workflows/test-scripts.yml, add:

permissions:
  contents: read

near the top of the file (e.g., after name: Test Scripts and before on:). No additional imports, methods, or dependencies are required since permissions is a native workflow configuration key.

Suggested changeset 1
.github/workflows/test-scripts.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/test-scripts.yml b/.github/workflows/test-scripts.yml
--- a/.github/workflows/test-scripts.yml
+++ b/.github/workflows/test-scripts.yml
@@ -1,5 +1,8 @@
 name: Test Scripts
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     paths:
EOF
@@ -1,5 +1,8 @@
name: Test Scripts

permissions:
contents: read

on:
pull_request:
paths:
Copilot is powered by AI and may make mistakes. Always verify output.
@lionello lionello committed this autofix suggestion 17 minutes ago.
.github/workflows/test-scripts.yml
Comment on lines +38 to +65
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 2

- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: "20"

- name: Install dependencies
run: npm install
working-directory: scripts

- name: Get changed samples
run: ./scripts/check-modified-samples.sh > modified.txt

- name: Preview workflows
uses: actions/github-script@v7
env:
DRY_RUN: "true"
with:
script: |
const script = require('./scripts/template-manager.js')
await script({github, context, core});

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium test

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 19 hours ago

In general, the problem is fixed by adding an explicit permissions block to the workflow or to individual jobs, granting only the minimal scopes necessary for the actions being run. For this workflow, both jobs only need to read repository contents (for actions/checkout and to read scripts), and actions/github-script only uses github and context without any explicit write calls in the provided snippet. Therefore, contents: read is sufficient for both jobs. Defining permissions at the workflow root will apply to all jobs that do not override it and is the simplest change.

The best minimal fix is to add a workflow-level permissions block just under the name: (before on:), setting contents: read. This documents that the workflow only needs read access and ensures the GITHUB_TOKEN cannot perform unintended write operations even if org defaults are broad. No imports or other definitions are needed, as this is pure YAML configuration.

Concretely, in .github/workflows/test-scripts.yml, between line 1 (name: Test Scripts) and line 3 (on:), insert:

permissions:
  contents: read

No other changes are required.

Suggested changeset 1
.github/workflows/test-scripts.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/test-scripts.yml b/.github/workflows/test-scripts.yml
--- a/.github/workflows/test-scripts.yml
+++ b/.github/workflows/test-scripts.yml
@@ -1,5 +1,8 @@
 name: Test Scripts
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     paths:
EOF
@@ -1,5 +1,8 @@
name: Test Scripts

permissions:
contents: read

on:
pull_request:
paths:
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
@lionello lionello had a problem deploying to deploy-changed-samples February 3, 2026 05:15 — with GitHub Actions Failure
@KevyVo KevyVo mentioned this pull request Feb 3, 2026
Closed
3 tasks
@lionello lionello changed the base branch from main to jordan/update-workflows February 3, 2026 23:21
@lionello @github-advanced-security
Potential fix for code scanning alert no. 74: Workflow does not conta…
6db2039 
…in permissions


[no ci]

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@lionello lionello changed the base branch from jordan/update-workflows to main February 3, 2026 23:33
@lionello lionello merged commit f81ec47 into main Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jordanstephens jordanstephens Awaiting requested review from jordanstephens

@raphaeltm raphaeltm Awaiting requested review from raphaeltm

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lionello @jordanstephens