backport: -> LTS v1.0 #10239
backport: -> LTS v1.0 #10239
Conversation
github-actions
bot
added
the
javascript
ovr
force-pushed
the
chore/lts-v1.0-backport
branch
from
0c7b5d9 to
6ba615f
Compare
github-actions
bot
added
driver:mongodb
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
.github/workflows/cloud.yml
Outdated
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix this problem, you should add a permissions block at the root of the workflow file, immediately after the name: and before the on: or jobs: key. This block restricts the permissions that will be available to all jobs in the workflow, unless individually overridden by job-level permissions keys. The minimal set of permissions should be chosen according to what the workflow requires. The workflow as shown performs only builds/tests and does not interact with repository contents beyond checking out code, so contents: read should generally be sufficient. If additional write permissions to e.g. issues or pull requests are needed by steps not shown, you would add those specifically. In this specific workflow, setting contents: read is the safest and most appropriate baseline.
The change should be made at the very top of .github/workflows/cloud.yml, after the name: declaration and before the on: block, by inserting:
permissions:
contents: readNo new methods, imports, or other definitions are needed.
| @@ -1,5 +1,7 @@ | ||
| # CAUTION: This workflow exposes secrets. It is only supposed to be run on "merge into master" condition. | ||
| name: 'Cloud Tests' | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| # push doesn't work for PRs, it's safe to use it | ||
| # only maintainers/core contributors are allowed to push directly to the main repository |
| sha: ${{ steps.get-tag.outputs.sha }} | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| - id: git-log | ||
| run: git log HEAD~30..HEAD | ||
| - id: get-tag-test | ||
| run: echo "$SHA $(git rev-list -n 1 "$(git tag --contains "$SHA")")" | ||
| env: | ||
| SHA: ${{ github.sha }} | ||
| - id: get-tag | ||
| run: echo "sha=$(git rev-list -n 1 "$(git tag --contains "$SHA")")" >> "$GITHUB_OUTPUT" | ||
| env: | ||
| SHA: ${{ github.sha }} | ||
| - id: get-tag-out | ||
| run: echo "$OUT" | ||
| env: | ||
| OUT: ${{ steps.get-tag.outputs.sha }} | ||
|
|
||
| build_native_linux: | ||
| runs-on: ubuntu-20.04 | ||
| # Please use minimal possible version of ubuntu, because it produces constraint on glibc | ||
| runs-on: ubuntu-22.04 | ||
| timeout-minutes: 60 | ||
| name: Build Linux Native backend for Dev image | ||
| container: | ||
| image: cubejs/rust-cross:x86_64-unknown-linux-gnu-15082024-python-3.9 | ||
|
|
||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| - name: Install Rust | ||
| uses: actions-rust-lang/setup-rust-toolchain@v1 | ||
| with: | ||
| toolchain: nightly-2024-07-15 | ||
| # override: true # this is by default on | ||
| rustflags: "" | ||
| components: rustfmt | ||
| target: x86_64-unknown-linux-gnu | ||
| cache: false | ||
| - uses: Swatinem/rust-cache@v2 | ||
| with: | ||
| workspaces: ./rust/cubesql -> target | ||
| key: cubesql-x86_64-unknown-linux-gnu | ||
| shared-key: cubesql-x86_64-unknown-linux-gnu | ||
| - name: Install Node.js 20 | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 20 | ||
| - name: Install Yarn | ||
| run: npm install -g yarn | ||
| - name: Set Yarn version | ||
| run: yarn policies set-version v1.22.22 | ||
| # We don't need to install all yarn deps to build native | ||
| - name: Install cargo-cp-artifact | ||
| run: npm install -g cargo-cp-artifact@0.1 | ||
| - name: Build native (with Python) | ||
| env: | ||
| PYO3_PYTHON: python3.9 | ||
| CARGO_BUILD_TARGET: x86_64-unknown-linux-gnu | ||
| working-directory: ./packages/cubejs-backend-native | ||
| run: yarn run native:build-debug-python | ||
| - name: Store build artifact for dev image | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: "native-linux-x64-glibc-3.9.node" # this name is referenced below in docker-image-dev | ||
| path: ./packages/cubejs-backend-native/index.node | ||
| overwrite: true | ||
|
|
||
| docker-image-dev: | ||
| name: Release :dev image | ||
| needs: [latest-tag-sha, build_native_linux] | ||
| runs-on: ubuntu-20.04 | ||
| runs-on: ubuntu-24.04 | ||
| if: (needs['latest-tag-sha'].outputs.sha != github.sha) | ||
| steps: | ||
| - name: Check out the repo | ||
| uses: actions/checkout@v4 | ||
| - name: Download backend-native artifact | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: "native-linux-x64-glibc-3.9.node" # this name is referenced in above in native_linux | ||
| path: ./packages/cubejs-backend-native/ | ||
| - name: Login to DockerHub | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v3 | ||
| - name: Push to Docker Hub | ||
| uses: docker/build-push-action@v6 | ||
| with: | ||
| context: ./ | ||
| file: ./packages/cubejs-docker/dev.Dockerfile | ||
| platforms: linux/amd64 | ||
| push: true | ||
| tags: cubejs/cube:dev | ||
| - name: Update repo description | ||
| uses: peter-evans/dockerhub-description@v2 | ||
| with: | ||
| username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
| repository: cubejs/cube | ||
| readme-filepath: ./packages/cubejs-docker/README.md | ||
|
|
||
| trigger-test-suites: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
The best way to fix this problem is to add an explicit permissions: block to the workflow file. This can be done at the top/root of the workflow (top-level key), which will then apply to all jobs unless a specific job has its own permissions: block. Since none of the jobs shown require write access (they seem to be checking out code, running builds, and uploading artifacts), it is safe to use the most restrictive default: contents: read. This matches GitHub's recommendations for the minimal starting point and will prevent jobs from obtaining unwarranted write permissions via the GITHUB_TOKEN. The change should be made right after the name: (line 1) and before the on: block (line 2) to ensure the permissions applies globally. No other changes or imports are necessary.
| @@ -1,4 +1,6 @@ | ||
| name: Master | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| push: | ||
| paths: |
github-actions
bot
added
cube store
github-actions
bot
added
the
driver:redshift
github-actions
bot
added
client:vue
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## lts/v1.0 #10239 +/- ##
===========================================
Coverage ? 82.52%
===========================================
Files ? 221
Lines ? 77572
Branches ? 0
===========================================
Hits ? 64015
Misses ? 13557
Partials ? 0
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
ovr
force-pushed
the
chore/lts-v1.0-backport
branch
from
75205b5 to
264cf79
Compare
ovr
force-pushed
the
chore/lts-v1.0-backport
branch
from
264cf79 to
5f6785b
Compare
chore: fix chore: fix
The windows-2019 runner image is being deprecated, consider switching to windows-2022(windows-latest) or windows-2025 instead. For more details see actions/runner-images#12045.
ARM64 runners are in public preview, but It's ready for our use case.
* bold attempt to upgrade runners * fix mongodb-bi version * drop 2017-latest MSSQL from tests * fix integrations tests CI Run * dedup testcontainers package * fix missed 2017-latest version * attempt to fix Build cross image * enable debug for mongobi * revert mongobi * edit to run integration tests on 2404 * try to update Build cross image to 2404 * use 22.04 for native builds chore: fix
Fix repository.url in package.json files to enable npm provenance validation with OIDC trusted publishing. This ensures all public packages have the correct repository URL matching the GitHub repo.
Fix repository URL typo in cubejs-client-vue (cube.js.git -> cube.git) and correct directory fields in databricks-jdbc-driver, linter, backend-maven, and redshift-driver packages for npm provenance.
ovr
force-pushed
the
chore/lts-v1.0-backport
branch
from
1545366 to
ba2a375
Compare
No description provided.