Skip to content

Adding action to mirror repo #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
advaitpatel merged 2 commits into from
Mar 23, 2026
Merged

Adding action to mirror repo #27

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
433916f
adding github workflows
Mar 23, 2026
70f6468
Merge branch 'adding-action-to-mirror-repo' of https://github.com/adv…
Mar 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
version: 2

updates:
# Python dependencies
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "06:00"
open-pull-requests-limit: 10
reviewers:
- "advaitpatel"
labels:
- "dependencies"
- "python"
commit-message:
prefix: "chore(deps)"
include: "scope"
# Group minor and patch updates together
groups:
langchain:
patterns:
- "langchain*"
development:
patterns:
- "pytest*"
- "black"
- "ruff"
- "mypy"

# GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "06:00"
open-pull-requests-limit: 5
reviewers:
- "advaitpatel"
labels:
- "dependencies"
- "github-actions"
commit-message:
prefix: "chore(ci)"
include: "scope"
44 changes: 44 additions & 0 deletions .github/workflows/codeql-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: "CodeQL Security Scanning"

on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
# Run every Monday at 6:00 AM UTC
- cron: '0 6 * * 1'
workflow_dispatch:

jobs:
analyze:
name: Analyze Code
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

strategy:
fail-fast: false
matrix:
language: [ 'python' ]

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
# Run additional queries for comprehensive security analysis
queries: +security-extended,security-and-quality

- name: Autobuild
uses: github/codeql-action/autobuild@v3

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
78 changes: 78 additions & 0 deletions .github/workflows/coverage.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
name: Code Coverage

on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
workflow_dispatch:

jobs:
coverage:
runs-on: ubuntu-latest
name: Test Coverage Report

steps:
- uses: actions/checkout@v4

- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.12'

- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install pytest pytest-cov
if [ -f requirements.txt ]; then pip install -r requirements.txt; fi

- name: Install package
run: |
pip install -e .

- name: Run tests with coverage
run: |
pytest tests/ --cov=. --cov-report=xml --cov-report=html --cov-report=term-missing || echo "Tests completed with coverage"
continue-on-error: true

- name: Upload coverage to Codecov
uses: codecov/codecov-action@v4
with:
file: ./coverage.xml
flags: unittests
name: codecov-docksec
fail_ci_if_error: false
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

- name: Upload coverage reports as artifact
uses: actions/upload-artifact@v4
with:
name: coverage-reports
path: |
coverage.xml
htmlcov/
if-no-files-found: ignore

- name: Generate Coverage Summary
run: |
echo "## Coverage Report" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ -f coverage.xml ]; then
echo "Coverage report generated successfully!" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "📊 View detailed HTML report in artifacts" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
# Extract coverage percentage if available
if command -v coverage &> /dev/null; then
echo "### Coverage Details:" >> $GITHUB_STEP_SUMMARY
coverage report --format=markdown >> $GITHUB_STEP_SUMMARY 2>/dev/null || echo "Run completed" >> $GITHUB_STEP_SUMMARY
fi
else
echo "⚠️ No coverage data generated" >> $GITHUB_STEP_SUMMARY
fi

- name: Coverage Badge
run: |
echo "Add this badge to your README.md:"
echo "[![codecov](https://codecov.io/gh/advaitpatel/DockSec/branch/main/graph/badge.svg)](https://codecov.io/gh/advaitpatel/DockSec)"
Comment on lines +12 to +78

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 2 months ago

Generally, the fix is to explicitly declare permissions for the workflow or job to follow the principle of least privilege, instead of relying on the repository’s default GITHUB_TOKEN permissions. For this coverage workflow, the minimal starting point is contents: read, which is sufficient for checking out and reading the repository. None of the steps need to push commits or modify repo metadata. Codecov’s action may need contents: read to read commit metadata, but not write access.

The best fix without changing functionality is to add a top-level permissions block right after the name: (or before jobs:) in .github/workflows/coverage.yml. This block will apply to all jobs in the workflow (there is only one, coverage). We will set permissions: contents: read, which aligns with the suggestion from CodeQL and GitHub’s guidance. No other code changes, imports, or job-step changes are required.

Concretely, in .github/workflows/coverage.yml, insert:

permissions:
  contents: read

between line 2 and line 3. This restricts GITHUB_TOKEN to read-only repository contents for this workflow, resolving the CodeQL finding while preserving existing behavior.

Suggested changeset 1
.github/workflows/coverage.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -1,5 +1,8 @@
 name: Code Coverage
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ main ]
EOF
@@ -1,5 +1,8 @@
name: Code Coverage

permissions:
contents: read

on:
push:
branches: [ main ]
Copilot is powered by AI and may make mistakes. Always verify output.
Loading