Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: pytest - ${{ matrix.os }} - py${{ matrix.python-version }} | ||
| runs-on: ${{ matrix.os }} | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| os: [ ubuntu-latest, windows-latest ] | ||
| python-version: [ "3.9", "3.10", "3.11", "3.12", "3.13" ] | ||
| env: | ||
| PYTHONUTF8: "1" | ||
| PYTHONPATH: ${{ github.workspace }}/service | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
| cache: "pip" | ||
|
|
||
| - name: Install deps (Ubuntu) | ||
| if: matrix.os == 'ubuntu-latest' | ||
| shell: bash | ||
| run: | | ||
| set -eux | ||
| python -m pip install -U pip | ||
| pip install -r service/requirements.test.txt | ||
| if [ -f service/pyproject.toml ] || [ -f service/setup.cfg ] || [ -f service/setup.py ]; then | ||
| pip install -e service | ||
| fi | ||
| - name: Install deps (Windows) | ||
| if: matrix.os == 'windows-latest' | ||
| shell: pwsh | ||
| run: | | ||
| $ErrorActionPreference = "Stop" | ||
| python -m pip install -U pip | ||
| pip install -r service/requirements.test.txt | ||
| $hasPythonProject = (Test-Path -Path 'service/pyproject.toml') -or | ||
| (Test-Path -Path 'service/setup.cfg') -or | ||
| (Test-Path -Path 'service/setup.py') | ||
| if ($hasPythonProject) { | ||
| python -m pip install -e service | ||
| } else { | ||
| Write-Host 'service packaging files not found; skipping' | ||
| } | ||
| - name: Show versions | ||
| shell: bash | ||
| run: | | ||
| python --version | ||
| pip --version | ||
| pytest --version | ||
| python -c "import sys,platform,os;print(platform.platform());print(sys.version);print('PYTHONPATH=',os.environ.get('PYTHONPATH'))" | ||
| - name: Run tests with coverage | ||
| shell: bash | ||
| run: | | ||
| python -m coverage run -m pytest -q | ||
| python -m coverage xml -o coverage.xml | ||
| - name: Upload coverage.xml | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: coverage-${{ matrix.os }}-py${{ matrix.python-version }} | ||
| path: coverage.xml | ||
| if-no-files-found: error |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, add a permissions block to the workflow. The minimal recommended permission is contents: read, which allows jobs read-only access to the repository contents and is sufficient for most test workflows that do not need to write or modify repository resources. This is best added at the root level, immediately after the name and triggers, thereby applying it to all jobs unless overridden at the job level.
Steps:
- Add the following block after line 1 and before
onon line 2 (or, equivalently, afteronand beforeconcurrency):This will restrict the job’s permissions to the minimum required, satisfying the principle of least privilege and eliminating the CodeQL warning.permissions: contents: read
| @@ -1,4 +1,6 @@ | ||
| name: Pytest | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| push: | ||
| pull_request: |
2 participants
Pull Request
Overview
added windows tests
Changes
Testing
Related Issues
Checklist
Notes for Reviewers