-
Notifications
You must be signed in to change notification settings - Fork 0
ci: Use AlphaSphereDotAI's Helpr #835
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
b659930
c64b90c
8423703
16b155d
b8dedc8
d654648
28fb235
2ce31a7
1117d75
eee51fb
a686c8a
272f003
4114ccc
5388051
3ec287f
05624ab
9f238bf
12c38d0
f6b8b89
a725603
6daf583
2d8814f
dfe3947
d6b1029
1bb21bf
40ac641
0da5ae5
272a0a7
957c2e3
e43d43b
baa7870
727ed96
7dbd4b8
6018498
7285dc6
574bc91
6e5d171
3cc00e9
caa3a85
4b6fa88
ca777f3
1289cc8
9fc4320
874e4f2
4c9ba6e
61db762
1d62db3
5baac64
097fd61
cbe42e8
481e39b
056c2ec
e69c53f
2d3bc0f
88dede2
0fc56ad
ed9b1f8
b381e26
5636921
5768fd2
51ca0d3
b75296d
5c71149
02ca462
f071839
922dda6
17758bf
ef8888d
dfabe3f
93cf345
a4b6f7a
ec2f14b
c6eca8c
65f117d
e2f0837
5f317c7
19f9006
84f80c7
9b7b95c
e012bc1
42375a0
d721fd2
5de3d2c
bf290df
88f9fe1
fa1ef5b
22a77a2
2a9d63f
fa4b115
f4c49e7
d8812aa
41d3a88
a1ca038
6983083
f88ad47
a45e6c8
58b70ef
7941871
20f958f
f9f4953
d899cbc
77660a5
0aaccfc
663988d
00229f9
21f1cfc
52343dd
42094c0
4baf089
e13fe10
5933a6f
99c5528
a6ec4e9
a3f38a7
016befe
506d73f
924abd3
1c3fffe
2910c59
9a6889e
b16932a
058d9c3
d85f11d
5c7e8d3
f9cacf4
eca5bf2
daec3af
662b438
39c3f8a
7e69b56
eec2425
bccda5a
268f60b
89109b0
0e3b382
27eab2d
e475fd0
6ed266d
deb255f
dc3d24a
a4d685f
10cb7f4
5fdc22a
6f3a465
4cff8db
1e72222
1096aa6
5cb35e4
640f8d3
0372c1c
81f1349
b517a49
ff3ead2
7dd818e
34db40c
e47fbe6
47b0664
abbadb3
5901a11
2655ede
320fbd1
f6ba145
d580692
1e08603
3b54c11
7d4d65d
cafc912
6dd91a3
3d44f29
e124504
a0d7af9
7b64bbc
0e17a73
6cf7a09
6218ed3
f8ed42f
27d00e4
5a6ec1c
d34b4c8
a389f6a
68aacc8
135e76c
49c72ae
6891643
3615c95
d438c5f
e8eb225
5d7ce05
d5bc07a
fc24dc3
42f4f00
9f163ea
02112d3
01d5715
cceb40e
a3d8590
c4cb91e
3524525
c5d1f8d
8a025a7
60fabef
d2c2c49
a14c4ed
91263d5
2ab1bc8
ce26f13
28a8073
a28d2f5
203814d
9095358
28d50dd
a55f43d
b58b672
d4ff33c
a1b7869
dd8c055
620076f
019208d
588e484
255055a
5522578
742ae51
f6c9156
d77c892
63ded30
a3124e6
0020096
0c7d1b1
c7f9765
f0c83c5
128135d
da76a6d
761b158
3dd8904
7a3706a
f68a298
107d428
eb2767d
1da08c7
3b6e571
f1a1845
25283b2
05e736b
21bf1bc
3b2984a
e3b467f
c6ef631
2b18c2f
7a97471
d482ef3
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,32 @@ | |||||||||||||||||||||||
| name: CI | |||||||||||||||||||||||
| on: | |||||||||||||||||||||||
|
Comment on lines
+1
to
+2
|
|||||||||||||||||||||||
| push: | |||||||||||||||||||||||
| branches: | |||||||||||||||||||||||
| - main | |||||||||||||||||||||||
| tags: | |||||||||||||||||||||||
| - '[0-9]+.[0-9]+.[0-9]+' | |||||||||||||||||||||||
| - '[0-9]+.[0-9]+.[0-9]+a[0-9]+' | |||||||||||||||||||||||
| - '[0-9]+.[0-9]+.[0-9]+b[0-9]+' | |||||||||||||||||||||||
| pull_request: | |||||||||||||||||||||||
| issue_comment: | |||||||||||||||||||||||
| types: | |||||||||||||||||||||||
| - created | |||||||||||||||||||||||
| - edited | |||||||||||||||||||||||
| workflow_dispatch: | |||||||||||||||||||||||
| release: | |||||||||||||||||||||||
| types: | |||||||||||||||||||||||
| - published | |||||||||||||||||||||||
|
Comment on lines
+2
to
+18
|
|||||||||||||||||||||||
| jobs: | |||||||||||||||||||||||
| test: | |||||||||||||||||||||||
| name: Test | |||||||||||||||||||||||
| if: ${{ github.event_name == 'push' || github.event_name == 'pull_request' || github.ref_name == 'main' }} | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| if: ${{ github.event_name == 'push' || github.event_name == 'pull_request' || github.ref_name == 'main' }} | |
| if: ${{ github.event_name == 'push' || github.event_name == 'pull_request' }} |
Copilot
AI
Feb 1, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The checkout action version is inconsistent with the rest of the codebase. All other workflows use actions/checkout@de0fac2 (v6.0.2) with SHA pinning for security. This workflow should follow the same convention for consistency and security best practices.
Copilot
AI
Feb 1, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The workflow is using a test branch '@test' of the external action 'AlphaSphereDotAI/helpr_action'. For production CI workflows, using a stable version tag or commit SHA is recommended for reproducibility and security. Consider pinning to a specific version once testing is complete.
| uses: AlphaSphereDotAI/helpr_action@test | |
| uses: AlphaSphereDotAI/helpr_action@v1 |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
In general, the fix is to explicitly configure GITHUB_TOKEN permissions via a permissions: block, either at the workflow level (applies to all jobs) or per-job, and to restrict them to the minimum required (typically contents: read unless writes are needed for issues, PRs, etc.).
For this workflow, the simplest, least intrusive fix is to add a top-level permissions: block immediately under the name: CI line. This will apply to the test job and any future jobs that don’t override permissions. Since the snippet only shows repository checkout and an external action with no explicit need for writes, we’ll start with the CodeQL-suggested minimal scope: contents: read. No imports or additional files are involved, only a YAML edit inside .github/workflows/ci.yaml.
Concretely:
-
Edit
.github/workflows/ci.yaml. -
Insert:
permissions: contents: read
between line 1 (
name: CI) and line 2 (on:). -
Leave the rest of the workflow unchanged.
-
Copy modified lines R2-R3
| @@ -1,4 +1,6 @@ | ||
| name: CI | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| push: | ||
| branches: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This workflow is missing concurrency control settings. All other similar workflows in the codebase include concurrency settings to prevent duplicate workflow runs (e.g., test.yaml:8-10, build.yaml:9-11, release.yaml:7-9). Consider adding concurrency control to cancel in-progress runs when new ones are triggered, which improves CI efficiency and reduces resource consumption.