Develop#31
Conversation
Bumps [axios](https://github.com/axios/axios) from 1.6.2 to 1.7.4. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.6.2...v1.7.4) --- updated-dependencies: - dependency-name: axios dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alejandra <90076947+alejsdev@users.noreply.github.com>
[skip ci]
[skip ci]
[skip ci]
[skip ci]
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 6.3.3 to 6.3.4. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v6.3.4/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 6.3.4 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [react-error-boundary](https://github.com/bvaughn/react-error-boundary) from 4.0.13 to 5.0.0. - [Release notes](https://github.com/bvaughn/react-error-boundary/releases) - [Commits](bvaughn/react-error-boundary@4.0.13...5.0.0) --- updated-dependencies: - dependency-name: react-error-boundary dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
[skip ci]
[skip ci]
Bumps [bcrypt](https://github.com/pyca/bcrypt) from 4.0.1 to 4.3.0. - [Changelog](https://github.com/pyca/bcrypt/blob/main/release.py) - [Commits](pyca/bcrypt@4.0.1...4.3.0) --- updated-dependencies: - dependency-name: bcrypt dependency-version: 4.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
[skip ci]
[skip ci]
Bumps [tiangolo/latest-changes](https://github.com/tiangolo/latest-changes) from 0.3.2 to 0.4.0. - [Release notes](https://github.com/tiangolo/latest-changes/releases) - [Commits](tiangolo/latest-changes@0.3.2...0.4.0) --- updated-dependencies: - dependency-name: tiangolo/latest-changes dependency-version: 0.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
[skip ci]
Adição do refinamento do backlog
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Add to project | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/add-to-project@v1.0.2 | ||
| with: | ||
| project-url: https://github.com/orgs/fastapi/projects/2 | ||
| github-token: ${{ secrets.PROJECTS_TOKEN }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the problem, add a permissions block to the workflow or the specific job. The best practice is to set the minimal permissions required for the workflow to function. For the actions/add-to-project action, the minimal permissions are typically contents: read (to read repository contents) and project: write (to add issues or PRs to a project). The permissions block can be added at the job level (under add-to-project:) or at the workflow root (applies to all jobs). In this case, add it at the job level for clarity and minimal impact. Edit .github/workflows/add-to-project.yml to add the following under the add-to-project: job, before runs-on:.
| @@ -12,2 +12,5 @@ | ||
| name: Add to project | ||
| permissions: | ||
| contents: read | ||
| project: write | ||
| runs-on: ubuntu-latest |
| if: github.repository_owner != 'fastapi' | ||
| runs-on: | ||
| - self-hosted | ||
| - production | ||
| env: | ||
| ENVIRONMENT: production | ||
| DOMAIN: ${{ secrets.DOMAIN_PRODUCTION }} | ||
| STACK_NAME: ${{ secrets.STACK_NAME_PRODUCTION }} | ||
| SECRET_KEY: ${{ secrets.SECRET_KEY }} | ||
| FIRST_SUPERUSER: ${{ secrets.FIRST_SUPERUSER }} | ||
| FIRST_SUPERUSER_PASSWORD: ${{ secrets.FIRST_SUPERUSER_PASSWORD }} | ||
| SMTP_HOST: ${{ secrets.SMTP_HOST }} | ||
| SMTP_USER: ${{ secrets.SMTP_USER }} | ||
| SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }} | ||
| EMAILS_FROM_EMAIL: ${{ secrets.EMAILS_FROM_EMAIL }} | ||
| POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }} | ||
| SENTRY_DSN: ${{ secrets.SENTRY_DSN }} | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| - run: docker compose -f docker-compose.yml --project-name ${{ secrets.STACK_NAME_PRODUCTION }} build | ||
| - run: docker compose -f docker-compose.yml --project-name ${{ secrets.STACK_NAME_PRODUCTION }} up -d |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the problem, you should add a permissions block to the workflow to explicitly limit the permissions granted to the GITHUB_TOKEN. The best way to do this is to add the block at the root level of the workflow file, so it applies to all jobs unless overridden. In this case, the workflow only checks out code and runs Docker commands, so it only needs read access to repository contents. Therefore, you should add:
permissions:
contents: readdirectly after the name: field and before the on: field in .github/workflows/deploy-production.yml. No additional imports, methods, or definitions are required.
| @@ -1,2 +1,4 @@ | ||
| name: Deploy to Production | ||
| permissions: | ||
| contents: read | ||
|
|
| if: github.repository_owner != 'fastapi' | ||
| runs-on: | ||
| - self-hosted | ||
| - staging | ||
| env: | ||
| ENVIRONMENT: staging | ||
| DOMAIN: ${{ secrets.DOMAIN_STAGING }} | ||
| STACK_NAME: ${{ secrets.STACK_NAME_STAGING }} | ||
| SECRET_KEY: ${{ secrets.SECRET_KEY }} | ||
| FIRST_SUPERUSER: ${{ secrets.FIRST_SUPERUSER }} | ||
| FIRST_SUPERUSER_PASSWORD: ${{ secrets.FIRST_SUPERUSER_PASSWORD }} | ||
| SMTP_HOST: ${{ secrets.SMTP_HOST }} | ||
| SMTP_USER: ${{ secrets.SMTP_USER }} | ||
| SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }} | ||
| EMAILS_FROM_EMAIL: ${{ secrets.EMAILS_FROM_EMAIL }} | ||
| POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }} | ||
| SENTRY_DSN: ${{ secrets.SENTRY_DSN }} | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| - run: docker compose -f docker-compose.yml --project-name ${{ secrets.STACK_NAME_STAGING }} build | ||
| - run: docker compose -f docker-compose.yml --project-name ${{ secrets.STACK_NAME_STAGING }} up -d |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the problem, add a permissions block to the workflow, specifying the least privilege required. In this case, the only GitHub Action used is actions/checkout@v4, which requires contents: read permission. No other steps require additional permissions. The best way to fix this is to add the following block at the top level of the workflow (just after the name: and before on:), or at the job level if you want to scope it to a specific job. Since there is only one job, adding it at the workflow level is simplest and most maintainable. No additional imports or definitions are needed.
| @@ -1,2 +1,4 @@ | ||
| name: Deploy to Staging | ||
| permissions: | ||
| contents: read | ||
|
|
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: "3.10" | ||
| - name: Install uv | ||
| uses: astral-sh/setup-uv@v6 | ||
| with: | ||
| version: "0.4.15" | ||
| enable-cache: true | ||
| - run: uv run bash scripts/lint.sh | ||
| working-directory: backend |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the problem, add a permissions block to the workflow to restrict the GITHUB_TOKEN to the least privilege required. Since the workflow only checks out code and runs linting scripts, it only needs read access to repository contents. The best way to do this is to add a permissions block at the root level of the workflow YAML file, above the jobs: key, specifying contents: read. This will apply to all jobs in the workflow unless overridden. No additional imports or definitions are needed.
| @@ -11,2 +11,4 @@ | ||
|
|
||
| permissions: | ||
| contents: read | ||
| jobs: |
| runs-on: ubuntu-latest | ||
| # Set job outputs to values from filter step | ||
| outputs: | ||
| changed: ${{ steps.filter.outputs.changed }} | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| # For pull requests it's not necessary to checkout the code but for the main branch it is | ||
| - uses: dorny/paths-filter@v3 | ||
| id: filter | ||
| with: | ||
| filters: | | ||
| changed: | ||
| - backend/** | ||
| - frontend/** | ||
| - .env | ||
| - docker-compose*.yml | ||
| - .github/workflows/playwright.yml | ||
|
|
||
| test-playwright: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the problem, add a permissions block to the workflow file to explicitly set the minimum required permissions for the GITHUB_TOKEN. The best way to do this is to add the block at the top level of the workflow, so it applies to all jobs unless overridden. For this workflow, the minimal required permission is contents: read, which allows jobs to check out code and upload artifacts, but not to write to the repository or perform other privileged actions. This change should be made near the top of the file, after the name: line and before the on: block.
| @@ -1,2 +1,4 @@ | ||
| name: Playwright Tests | ||
| permissions: | ||
| contents: read | ||
|
|
| needs: | ||
| - changes | ||
| if: ${{ needs.changes.outputs.changed == 'true' }} | ||
| timeout-minutes: 60 | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| shardIndex: [1, 2, 3, 4] | ||
| shardTotal: [4] | ||
| fail-fast: false | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: lts/* | ||
| - uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: '3.10' | ||
| - name: Setup tmate session | ||
| uses: mxschmitt/action-tmate@v3 | ||
| if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }} | ||
| with: | ||
| limit-access-to-actor: true | ||
| - name: Install uv | ||
| uses: astral-sh/setup-uv@v6 | ||
| with: | ||
| version: "0.4.15" | ||
| enable-cache: true | ||
| - run: uv sync | ||
| working-directory: backend | ||
| - run: npm ci | ||
| working-directory: frontend | ||
| - run: uv run bash scripts/generate-client.sh | ||
| env: | ||
| VIRTUAL_ENV: backend/.venv | ||
| - run: docker compose build | ||
| - run: docker compose down -v --remove-orphans | ||
| - name: Run Playwright tests | ||
| run: docker compose run --rm playwright npx playwright test --fail-on-flaky-tests --trace=retain-on-failure --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }} | ||
| - run: docker compose down -v --remove-orphans | ||
| - name: Upload blob report to GitHub Actions Artifacts | ||
| if: ${{ !cancelled() }} | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: blob-report-${{ matrix.shardIndex }} | ||
| path: frontend/blob-report | ||
| include-hidden-files: true | ||
| retention-days: 1 | ||
|
|
||
| merge-playwright-reports: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the problem, add a permissions block to the root of the workflow file (.github/workflows/playwright.yml). This block should specify the minimal permissions required for the workflow jobs. For most CI workflows, contents: read is sufficient unless the workflow needs to create or modify issues, pull requests, or other resources. Since this workflow only checks out code and manages artifacts, contents: read and actions: read are typically enough. If artifact upload/download requires additional permissions, actions: read can be added, but for most cases, contents: read suffices. The permissions block should be added after the name: and before the on: block for workflow-wide effect.
| @@ -1,2 +1,4 @@ | ||
| name: Playwright Tests | ||
| permissions: | ||
| contents: read | ||
|
|
| needs: | ||
| - test-playwright | ||
| - changes | ||
| # Merge reports after playwright-tests, even if some shards have failed | ||
| if: ${{ !cancelled() && needs.changes.outputs.changed == 'true' }} | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 20 | ||
| - name: Install dependencies | ||
| run: npm ci | ||
| working-directory: frontend | ||
| - name: Download blob reports from GitHub Actions Artifacts | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| path: frontend/all-blob-reports | ||
| pattern: blob-report-* | ||
| merge-multiple: true | ||
| - name: Merge into HTML Report | ||
| run: npx playwright merge-reports --reporter html ./all-blob-reports | ||
| working-directory: frontend | ||
| - name: Upload HTML report | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: html-report--attempt-${{ github.run_attempt }} | ||
| path: frontend/playwright-report | ||
| retention-days: 30 | ||
| include-hidden-files: true | ||
|
|
||
| # https://github.com/marketplace/actions/alls-green#why | ||
| alls-green-playwright: # This job does nothing and is only used for the branch protection |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the problem, you should add a permissions block to the workflow file. The best practice is to set this at the top level of the workflow, so it applies to all jobs unless overridden. For most CI workflows that only need to check out code and upload/download artifacts, contents: read is sufficient. If any job requires more (e.g., to create issues or pull requests), you can add those specific permissions as needed. In this case, none of the jobs appear to require write access to the repository, so contents: read is the minimal and correct setting.
Steps:
- Add the following block after the
name:line and before theon:block in.github/workflows/playwright.yml:permissions: contents: read
- No additional imports, methods, or definitions are needed.
| @@ -1,2 +1,4 @@ | ||
| name: Playwright Tests | ||
| permissions: | ||
| contents: read | ||
|
|
| if: always() | ||
| needs: | ||
| - test-playwright | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Decide whether the needed jobs succeeded or failed | ||
| uses: re-actors/alls-green@release/v1 | ||
| with: | ||
| jobs: ${{ toJSON(needs) }} | ||
| allowed-skips: test-playwright |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the problem, add a permissions block to the workflow to explicitly restrict the GITHUB_TOKEN permissions. The best way is to add the block at the root level of the workflow (above jobs:), so it applies to all jobs unless overridden. For most CI workflows, contents: read is sufficient, unless a job needs to write to issues, pull requests, or other resources. In this case, none of the jobs appear to require write access, so the minimal block is:
permissions:
contents: readThis should be added after the name: and before the on: block (i.e., after line 1 and before line 3). No other code changes or imports are needed.
| @@ -2,2 +2,5 @@ | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: "3.10" | ||
| - name: Install uv | ||
| uses: astral-sh/setup-uv@v6 | ||
| with: | ||
| version: "0.4.15" | ||
| enable-cache: true | ||
| - run: docker compose down -v --remove-orphans | ||
| - run: docker compose up -d db mailcatcher | ||
| - name: Migrate DB | ||
| run: uv run bash scripts/prestart.sh | ||
| working-directory: backend | ||
| - name: Run tests | ||
| run: uv run bash scripts/tests-start.sh "Coverage for ${{ github.sha }}" | ||
| working-directory: backend | ||
| - run: docker compose down -v --remove-orphans | ||
| - name: Store coverage files | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: coverage-html | ||
| path: backend/htmlcov | ||
| include-hidden-files: true |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the problem, add a permissions block to the workflow to explicitly set the minimal required permissions for the GITHUB_TOKEN. Since this workflow only checks out code, sets up the environment, runs tests, and uploads artifacts, it does not require write access to repository contents or other resources. The minimal permission required is contents: read. This block can be added at the top level of the workflow (applies to all jobs) or at the job level (applies only to the specific job). The best practice is to add it at the top level unless a job needs different permissions. Edit .github/workflows/test-backend.yml to add the following block after the name: line and before the on: block:
permissions:
contents: readNo additional methods, imports, or definitions are needed.
| @@ -1,2 +1,4 @@ | ||
| name: Test Backend | ||
| permissions: | ||
| contents: read | ||
|
|
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| - run: docker compose build | ||
| - run: docker compose down -v --remove-orphans | ||
| - run: docker compose up -d --wait backend frontend adminer | ||
| - name: Test backend is up | ||
| run: curl http://localhost:8000/api/v1/utils/health-check | ||
| - name: Test frontend is up | ||
| run: curl http://localhost:5173 | ||
| - run: docker compose down -v --remove-orphans |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the problem, add a permissions block to the workflow file to explicitly set the minimum required permissions for the job. Since the job only checks out code and runs Docker Compose commands, it only needs read access to repository contents. The best way to do this is to add permissions: contents: read at the top level of the workflow file (just after the name field and before on:), so it applies to all jobs in the workflow. No additional imports or definitions are needed.
| @@ -1,2 +1,4 @@ | ||
| name: Test Docker Compose | ||
| permissions: | ||
| contents: read | ||
|
|
adição de documentação
Adição de documentação
Adição de documentação
Update de documentação
Adição de documentação
Adição de documentação
Adição de documentação
Adição de documentação
19 participants
No description provided.