ci: Update flows #3
Conversation
Signed-off-by: Hubert Cymerys <hubert.cymerys@intel.com>
There was a problem hiding this comment.
Pull Request Overview
This PR modernizes the CI/CD workflows by replacing local workflow implementations with centralized reusable workflows from the intel/mfd repository, improving maintainability and standardization across projects.
Key changes:
- Replaced local workflow definitions with calls to centralized reusable workflows
- Updated workflow matrix configurations to use simplified parameter structures
- Added new dependency management and validation workflows
Reviewed Changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/run_tests.yml |
New workflow calling centralized test execution with matrix for OS and Python versions |
.github/workflows/manual_release.yml |
Simplified release workflow using centralized implementation with updated matrix structure |
.github/workflows/main.yml |
New main CI build workflow calling centralized implementation |
.github/workflows/dependency_review.yml |
New dependency review workflow for security scanning |
.github/workflows/codeql.yml |
Removed local CodeQL implementation (98 lines deleted) |
.github/workflows/check_pr_format.yml |
New PR format validation workflow |
.github/workflows/check_code_standard.yml |
New code standard checking workflow |
.github/workflows/build_upload_whl.yml |
Removed local build/upload implementation (205 lines deleted) |
.github/dependency_review.yml |
Added dependency review configuration with license and vulnerability settings |
.github/dependabot.yml |
Added Dependabot configuration for daily Python dependency updates |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Signed-off-by: Hubert Cymerys <hubert.cymerys@intel.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| uses: intel/mfd/.github/workflows/check_pr_format.yml@main | ||
| with: | ||
| REPOSITORY_NAME: ${{ github.event.pull_request.head.repo.full_name }} | ||
| BRANCH_NAME: ${{ github.head_ref }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
The problem should be fixed by explicitly specifying the permissions key at the top-level of the workflow (recommended if all jobs use the same permissions), or at the job-level (if jobs need different granular access). For a workflow that only validates PR format by calling a reusable workflow, the least privilege required is typically read-level access to contents (the default resource for many read-only checks). Unless the reusable workflow performs write actions (like updating labels or PR statuses), you should restrict GITHUB_TOKEN to only contents: read. Changes required: Add the permissions block to the workflow YAML file, ideally directly after the name key for clarity and broad coverage. No imports or definitions are needed—just a single YAML edit.
| @@ -1,4 +1,6 @@ | ||
| name: Title + Commit Validation | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: |
|
|
||
| jobs: | ||
| dependency_review: | ||
| uses: intel/mfd/.github/workflows/dependency_review.yml@main |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the problem, introduce a permissions block at the job or workflow root level. Because the workflow is quite simple, and is calling an external, reusable workflow as a job, setting the permissions at the job level ensures the minimal necessary privileges are granted to the GITHUB_TOKEN for the duration of the job. Since dependency review workflows typically require only read access to the repository contents, the recommended minimal permissions are contents: read. This line should be placed inside the dependency_review job definition, directly above the uses: line (i.e., as a sibling to uses). No imports or other code changes are necessary, only this addition to the YAML.
| @@ -6,4 +6,6 @@ | ||
|
|
||
| jobs: | ||
| dependency_review: | ||
| permissions: | ||
| contents: read | ||
| uses: intel/mfd/.github/workflows/dependency_review.yml@main |
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| python_version: ['3.10', '3.13'] | ||
| uses: intel/mfd/.github/workflows/main.yml@main | ||
| secrets: | ||
| GH_TOKEN: ${{ secrets.GH_TOKEN }} | ||
| with: | ||
| REPOSITORY_NAME: ${{ github.repository }} | ||
| BRANCH_NAME: ${{ github.ref_name }} | ||
| PYTHON_VERSION: ${{ matrix.python_version }} | ||
| PROJECT_NAME: 'mfd-hyperv' |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the problem, add an explicit permissions block specifying the minimal privileges required for the job. The safest possible minimum is contents: read—reading the repository contents only, with no write privileges. To avoid unintentionally restricting necessary permissions that the invoked reusable workflow might require, you may choose to audit that workflow, or, in absence of that, start with the minimal block (contents: read) and expand only if jobs fail due to insufficient permission.
Edit file .github/workflows/main.yml and add a permissions: key at the top level (after the name: block and before or after the on: block), or within the job (build_whl:) if you want a job-specific scope. Since there is only one job, it's best to set it at the top level so it's clear and applies to all jobs.
You do not need to import anything or add any other definitions.
| @@ -1,5 +1,8 @@ | ||
| name: CI Build | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: |
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| os: [ubuntu-latest, windows-latest] | ||
| python_version: ['3.10', '3.13'] | ||
| uses: intel/mfd/.github/workflows/run_tests.yml@main | ||
| secrets: | ||
| GH_TOKEN: ${{ secrets.GH_TOKEN }} | ||
| with: | ||
| REPOSITORY_NAME: ${{ github.event.pull_request.head.repo.full_name }} | ||
| BRANCH_NAME: ${{ github.head_ref }} | ||
| PYTHON_VERSION: ${{ matrix.python_version }} | ||
| RUNS_ON: ${{ matrix.os }} | ||
| PROJECT_NAME: 'mfd-hyperv' |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
The best fix is to add a permissions: block for the workflow or for the run_tests job that restricts the GITHUB_TOKEN. Ideally, add the block at the job level (inside run_tests:) or at the root of the workflow above jobs:. Since no repo-modifying operations are visible, the most restrictive permission is contents: read. For maximum clarity and future extensibility, add the block at the run_tests: job level, just above strategy:. No other code edits, imports, or method definitions are required.
| @@ -9,6 +9,8 @@ | ||
|
|
||
| jobs: | ||
| run_tests: | ||
| permissions: | ||
| contents: read | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: |
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 32 out of 33 changed files in this pull request and generated 1 comment.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Signed-off-by: Hubert Cymerys <hubert.cymerys@intel.com>
hcymerys
dismissed stale reviews from mchromin and adrianlasota
via
9db7316
No description provided.