Develop#22
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check SONAR_TOKEN presence | ||
| run: | | ||
| if [ -z "$SONAR_TOKEN" ]; then | ||
| echo "SONAR_TOKEN missing" | ||
| exit 1 | ||
| else | ||
| echo "SONAR_TOKEN present" | ||
| fi | ||
| env: | ||
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | ||
|
|
||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: '3.12' | ||
|
|
||
| - name: Restore SysIDE license file | ||
| run: | | ||
| if [ -n "$SYSIDE_LICENSE_CONTENT_B64" ]; then | ||
| echo "SysIDE license content found, restoring license file..." | ||
| echo "$SYSIDE_LICENSE_CONTENT_B64" | base64 -d > automator-license.lic | ||
| ls -l automator-license.lic | ||
| echo "SysIDE license key found, attempting to set up license..." | ||
| python -c "import syside; print(syside.__version__)" || echo "License setup failed, tests will use mocks" | ||
| else | ||
| echo "No SysIDE license content found, tests will use mocks if supported" | ||
| fi | ||
| env: | ||
| SYSIDE_LICENSE_CONTENT_B64: ${{ secrets.SYSIDE_LICENSE_CONTENT_B64 }} | ||
|
|
||
| - name: Install dependencies | ||
| run: | | ||
| python -m pip install --upgrade pip | ||
| pip install requests | ||
| pip install -r requirements-ci.txt | ||
| pip install git+https://github.com/Open-MBEE/sysmlv2-python-client.git@main | ||
| pip install git+https://github.com/Open-MBEE/flexo_syside.git@main | ||
| pip install syside==0.8.5 | ||
| pip install pytest pytest-cov pytest-check coverage | ||
| pip install -e . | ||
|
|
||
| - name: Set up Java | ||
| uses: actions/setup-java@v4 | ||
| with: | ||
| distribution: temurin | ||
| java-version: '21' | ||
|
|
||
| - name: SonarQube Scan | ||
| uses: SonarSource/sonarqube-scan-action@v6 | ||
| with: | ||
| args: > | ||
| -Dsonar.scanner.skipJreProvisioning=true | ||
| env: | ||
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | ||
| SONAR_SCANNER_SKIP_JRE_PROVISIONING: "true" | ||
|
|
||
| - name: Run tests with coverage | ||
| env: | ||
| SYSIDE_LICENSE_FILE: automator-license.lic | ||
| ACCESS_KEY: ${{ secrets.ACCESS_KEY }} | ||
| SECRET_KEY: ${{ secrets.SECRET_KEY }} | ||
| ONSHAPE_TARGET_ASSEMBLY_URL: ${{ secrets.ONSHAPE_TARGET_ASSEMBLY_URL }} | ||
| run: | | ||
| coverage run -m pytest | ||
| coverage xml -o coverage.xml | ||
|
|
||
| - name: Remove SysIDE license file | ||
| if: always() | ||
| run: | | ||
| rm -f automator-license.lic |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To fix the problem, explicitly set permissions for the workflow or the sonar job so that the GITHUB_TOKEN has only the minimal scopes required. Since this workflow just checks out code, installs dependencies, runs tests, and triggers a SonarQube scan using a secret token, it only needs read access to repository contents.
The best minimal fix without changing functionality is to add a root-level permissions: block (applies to all jobs) specifying contents: read. This should be placed after the on: section and before jobs: in .github/workflows/sonarqube.yml, leaving the rest of the workflow unchanged. No imports or additional methods are needed, since this is purely a YAML configuration change.
| @@ -5,6 +5,9 @@ | ||
| branches: [ main, develop ] | ||
| pull_request: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| sonar: | ||
| runs-on: ubuntu-latest |
|
2 participants
No description provided.