Skip to content

Update Snapshots for kusama#503

Closed
github-actions[bot] wants to merge 3 commits into
masterfrom
update-snapshots-kusama-c3ebbaa
Closed

Update Snapshots for kusama#503
github-actions[bot] wants to merge 3 commits into
masterfrom
update-snapshots-kusama-c3ebbaa

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Jan 28, 2026

Update Snapshots for kusama

Close and reopen this PR to trigger CI.

github-advanced-security[bot]
github-advanced-security AI found potential problems Jan 28, 2026
View reviewed changes
Comment thread .github/workflows/ci.yml
Comment on lines +52 to +105
needs: define-matrix
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- uses: actions/checkout@v4
- name: setup node env
uses: actions/setup-node@v4
with:
node-version: 22.x
cache: 'yarn'
- run: yarn --immutable
- name: Start Chopsticks for PAH
run: |
source KNOWN_GOOD_BLOCK_NUMBERS_POLKADOT.env
npx @acala-network/chopsticks@latest \
--endpoint=wss://sys.ibp.network/asset-hub-polkadot \
--block=$ASSETHUBPOLKADOT_BLOCK_NUMBER \
--port=8001 > /tmp/chopsticks-pah.log 2>&1 &
echo $! > /tmp/chopsticks-pah.pid

# Wait for server to be ready
timeout=120
elapsed=0
while [ $elapsed -lt $timeout ]; do
if nc -z localhost 8001 2>/dev/null; then
echo "Chopsticks PAH server ready"
break
fi
sleep 2
elapsed=$((elapsed + 2))
done

if [ $elapsed -ge $timeout ]; then
echo "Timeout waiting for chopsticks"
cat /tmp/chopsticks-pah.log
exit 1
fi
- name: Run PAH Tests
env:
ASSETHUBPOLKADOT_ENDPOINT: ws://localhost:8001
run: |
tests='${{ needs.define-matrix.outputs.pah-tests }}'
echo "$tests" | jq -r '.[]' | while read test; do
echo "Running test: $test"
yarn test "packages/$test" || exit 1
done
- name: Cleanup
if: always()
run: |
if [ -f /tmp/chopsticks-pah.pid ]; then
kill $(cat /tmp/chopsticks-pah.pid) || true
fi

kah-tests:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

In general, the problem is fixed by explicitly adding a permissions block to the workflow or to individual jobs, granting only the scopes they truly need (usually contents: read for typical CI tasks). This prevents the workflow from inheriting potentially broader default token permissions from the repo/organization.

For this workflow, none of the jobs (lint, define-matrix, pah-tests, kah-tests, other-tests) need to write to the repository, create releases, or modify issues/PRs. They just check out the code and run Node/Yarn commands. The least‑privilege configuration is therefore to set permissions: contents: read at the workflow root (right after the name: or on: block). This will apply to all jobs that do not override permissions, and it aligns with the “minimal starting point” suggested by CodeQL. No additional imports or external methods are needed; this is purely a YAML configuration change within .github/workflows/ci.yml.

Concretely:

  • Edit .github/workflows/ci.yml.
  • Insert a permissions block at the top level (same indentation as on: and jobs:), e.g. between the on: block and the concurrency: block.
  • Set contents: read inside that block.
  • Leave all existing job definitions and steps unchanged.
Suggested changeset 1
.github/workflows/ci.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
EOF
@@ -6,6 +6,9 @@
pull_request:
branches: [ master ]

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
Copilot is powered by AI and may make mistakes. Always verify output.
Comment thread .github/workflows/ci.yml
Comment on lines +106 to +159
needs: define-matrix
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- uses: actions/checkout@v4
- name: setup node env
uses: actions/setup-node@v4
with:
node-version: 22.x
cache: 'yarn'
- run: yarn --immutable
- name: Start Chopsticks for KAH
run: |
source KNOWN_GOOD_BLOCK_NUMBERS_KUSAMA.env
npx @acala-network/chopsticks@latest \
--endpoint=wss://sys.ibp.network/asset-hub-kusama \
--block=$ASSETHUBKUSAMA_BLOCK_NUMBER \
--port=8002 > /tmp/chopsticks-kah.log 2>&1 &
echo $! > /tmp/chopsticks-kah.pid

# Wait for server to be ready
timeout=120
elapsed=0
while [ $elapsed -lt $timeout ]; do
if nc -z localhost 8002 2>/dev/null; then
echo "Chopsticks KAH server ready"
break
fi
sleep 2
elapsed=$((elapsed + 2))
done

if [ $elapsed -ge $timeout ]; then
echo "Timeout waiting for chopsticks"
cat /tmp/chopsticks-kah.log
exit 1
fi
- name: Run KAH Tests
env:
ASSETHUBKUSAMA_ENDPOINT: ws://localhost:8002
run: |
tests='${{ needs.define-matrix.outputs.kah-tests }}'
echo "$tests" | jq -r '.[]' | while read test; do
echo "Running test: $test"
yarn test "packages/$test" || exit 1
done
- name: Cleanup
if: always()
run: |
if [ -f /tmp/chopsticks-kah.pid ]; then
kill $(cat /tmp/chopsticks-kah.pid) || true
fi

other-tests:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

In general, the problem is fixed by explicitly declaring permissions: for the workflow or individual jobs, limiting the GITHUB_TOKEN to the least privileges needed. For a typical test-only CI workflow that only checks out code and installs dependencies, contents: read is sufficient, and no write scopes are required.

The best fix here without changing existing functionality is to add a single permissions: block at the top (root) level of .github/workflows/ci.yml, right under name: CI and before on:, setting contents: read. Root-level permissions apply to all jobs (lint, define-matrix, pah-tests, kah-tests, other-tests, all-passed) that do not define their own permissions: block, so we only need to add it once. None of the shown jobs perform any write operations to the repository or other GitHub resources, so restricting to contents: read will not break behavior.

Concretely:

  • Edit .github/workflows/ci.yml.
  • Insert:
permissions:
  contents: read

between line 1 (name: CI) and line 3 (on:). No additional methods, imports, or dependencies are required.

Suggested changeset 1
.github/workflows/ci.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,8 @@
 name: CI
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ master ]
EOF
@@ -1,5 +1,8 @@
name: CI

permissions:
contents: read

on:
push:
branches: [ master ]
Copilot is powered by AI and may make mistakes. Always verify output.
@rockbmb rockbmb closed this Jan 28, 2026
@rockbmb rockbmb reopened this Jan 28, 2026
@rockbmb
Copy link
Copy Markdown
Collaborator

rockbmb commented Jan 28, 2026

This PR was opened because I manually triggered the snapshot update workflow; unintended.

@rockbmb rockbmb closed this Jan 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rockbmb @github-advanced-security