Skip to content

chore: use a single deploy workflow template #618

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lionello merged 5 commits into from
Feb 3, 2026
Merged

chore: use a single deploy workflow template #618

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
8f28f29
chore: use a single deploy workflow template
lionello Feb 3, 2026
31fdfc0
fix: update checkout action version and improve install step for Defang
lionello Feb 3, 2026
8efadd7
add stack to manual workflow dispatch inputs
jordanstephens Feb 3, 2026
ccf3aac
add concurrency group
jordanstephens Feb 3, 2026
6db2039
Potential fix for code scanning alert no. 74: Workflow does not conta…
lionello Feb 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions .github/workflows/check-sample.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: Check Samples
on:
pull_request:
paths:
- 'samples/**'
- "samples/**"

jobs:
check_samples:
Expand All @@ -13,19 +13,20 @@ jobs:
pull-requests: write
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
# Fetch two to see changes in current commit
fetch-depth: 2

- name: Install Defang
- name: Install Defang (nightly)
run: |
eval "$(curl -fsSL s.defang.io/install)"
env:
DEFANG_INSTALL_VERSION: nightly

- name: Run Checks
id: checks
run: |
eval "$(curl -fsSL s.defang.io/install)"
./scripts/check-sample-files.sh > checklist.txt
./scripts/check-modified-samples.sh > modified.txt
echo "@@ MODIFIED @@"
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/publish-sample-template.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,19 @@
name: Publish Sample Template

on:
push:
push:
branches:
- main

jobs:
publish_samples:
runs-on: ubuntu-latest
permissions:
permissions:
contents: write
pull-requests: write
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
# Fetch two to see changes in current commit
fetch-depth: 2
Expand Down
68 changes: 68 additions & 0 deletions .github/workflows/test-scripts.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
name: Test Scripts

permissions:
contents: read

on:
pull_request:
paths:
- "scripts/**"
- "templates/**"
- "samples/**/compose.yaml"
- "samples/**/compose.yml"
push:
branches:
- main
paths:
- "scripts/**"
- "templates/**"

jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: "20"

- name: Install dependencies
run: npm install
working-directory: scripts

- name: Run tests
run: npm test
working-directory: scripts

preview-workflows:
Comment on lines +22 to +40

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium test

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 8 hours ago

In general, the fix is to explicitly set a minimal permissions block for the workflow or for individual jobs, so that the GITHUB_TOKEN has only the scopes required. Here, both jobs only need to read repository contents (for checkout and script execution) and to read basic PR metadata (already available with contents: read), with no visible need for write access. The best fix is to add a root‑level permissions block (applies to all jobs) directly under the name: or on: section with contents: read. If in your environment the template-manager.js ever needs to write to PRs or issues, you could later extend this explicitly (e.g., pull-requests: write), but that is not evident from the provided snippet.

Concretely, in .github/workflows/test-scripts.yml, add:

permissions:
  contents: read

near the top of the file (e.g., after name: Test Scripts and before on:). No additional imports, methods, or dependencies are required since permissions is a native workflow configuration key.

Suggested changeset 1
.github/workflows/test-scripts.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/test-scripts.yml b/.github/workflows/test-scripts.yml
--- a/.github/workflows/test-scripts.yml
+++ b/.github/workflows/test-scripts.yml
@@ -1,5 +1,8 @@
 name: Test Scripts
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     paths:
EOF
@@ -1,5 +1,8 @@
name: Test Scripts

permissions:
contents: read

on:
pull_request:
paths:
Copilot is powered by AI and may make mistakes. Always verify output.
@lionello lionello committed this autofix suggestion about 8 hours ago.
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 2

- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: "20"

- name: Install dependencies
run: npm install
working-directory: scripts

- name: Get changed samples
run: ./scripts/check-modified-samples.sh > modified.txt

- name: Preview workflows
uses: actions/github-script@v7
env:
DRY_RUN: "true"
with:
script: |
const script = require('./scripts/template-manager.js')
await script({github, context, core});
Comment on lines +41 to +68

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium test

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 1 day ago

In general, the problem is fixed by adding an explicit permissions block to the workflow or to individual jobs, granting only the minimal scopes necessary for the actions being run. For this workflow, both jobs only need to read repository contents (for actions/checkout and to read scripts), and actions/github-script only uses github and context without any explicit write calls in the provided snippet. Therefore, contents: read is sufficient for both jobs. Defining permissions at the workflow root will apply to all jobs that do not override it and is the simplest change.

The best minimal fix is to add a workflow-level permissions block just under the name: (before on:), setting contents: read. This documents that the workflow only needs read access and ensures the GITHUB_TOKEN cannot perform unintended write operations even if org defaults are broad. No imports or other definitions are needed, as this is pure YAML configuration.

Concretely, in .github/workflows/test-scripts.yml, between line 1 (name: Test Scripts) and line 3 (on:), insert:

permissions:
  contents: read

No other changes are required.

Suggested changeset 1
.github/workflows/test-scripts.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/test-scripts.yml b/.github/workflows/test-scripts.yml
--- a/.github/workflows/test-scripts.yml
+++ b/.github/workflows/test-scripts.yml
@@ -1,5 +1,8 @@
 name: Test Scripts
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     paths:
EOF
@@ -1,5 +1,8 @@
name: Test Scripts

permissions:
contents: read

on:
pull_request:
paths:
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
37 changes: 37 additions & 0 deletions .github/workflows/update-template-workflows.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
name: Update Template Workflows

on:
push:
branches:
- main
paths:
- "templates/deploy.yaml"
workflow_dispatch:

jobs:
update_workflows:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: "20"

- name: Install dependencies
run: npm install
working-directory: scripts

- name: Update Template Workflows
uses: actions/github-script@v7
env:
PUSH_TOKEN: ${{ secrets.TEMPLATES_MANAGER_TOKEN }}
with:
github-token: ${{ secrets.TEMPLATES_MANAGER_TOKEN }}
script: |
const script = require('./scripts/update-template-workflows.js')
await script({github, context, core});
25 changes: 0 additions & 25 deletions samples/agentic-autogen/.github/workflows/deploy.yaml
View file
Open in desktop

This file was deleted.

25 changes: 0 additions & 25 deletions samples/agentic-langgraph/.github/workflows/deploy.yaml
View file
Open in desktop

This file was deleted.

21 changes: 0 additions & 21 deletions samples/agentic-strands/.github/workflows/deploy.yaml
View file
Open in desktop

This file was deleted.

21 changes: 0 additions & 21 deletions samples/angular-express/.github/workflows/deploy.yaml
View file
Open in desktop

This file was deleted.

21 changes: 0 additions & 21 deletions samples/arduino-wifi/.github/workflows/deploy.yaml
View file
Open in desktop

This file was deleted.

21 changes: 0 additions & 21 deletions samples/bullmq-bullboard-redis/.github/workflows/deploy.yaml
View file
Open in desktop

This file was deleted.

21 changes: 0 additions & 21 deletions samples/csharp-dotnet/.github/workflows/deploy.yaml
View file
Open in desktop

This file was deleted.

26 changes: 0 additions & 26 deletions samples/django-celery/.github/workflows/deploy.yaml
View file
Open in desktop

This file was deleted.

27 changes: 0 additions & 27 deletions samples/django-postgres/.github/workflows/deploy.yaml
View file
Open in desktop

This file was deleted.

Loading