Skip to content

Commit 0766e2f

Browse files
committed
Fix CodeQL workflow permissions and runtime verifier alerts
1 parent b4f35e1 commit 0766e2f

4 files changed

Lines changed: 14 additions & 28 deletions

File tree

.github/workflows/ci.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,9 @@ on:
44
push:
55
pull_request:
66

7+
permissions:
8+
contents: read
9+
710
concurrency:
811
group: ci-${{ github.workflow }}-${{ github.ref }}
912
cancel-in-progress: true

CHANGELOG.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,8 @@ The format follows Keep a Changelog and the version numbers follow Semantic Vers
2626
- Improved installer UX by surfacing explicit progress steps before dependency installation and git setup begin.
2727
- Added pnpm build-approval hints for browser-oriented scaffolds so common `esbuild` installs no longer stop at an approval warning on fresh pnpm setups.
2828
- Updated generated Tailwind Vite scaffolds to use the current Tailwind package integration instead of writing unprocessed `@tailwind` directives without the required plugin setup.
29+
- Added explicit least-privilege `GITHUB_TOKEN` permissions to the CI workflow so CodeQL no longer flags the runtime matrix jobs for inheriting repository-default token access.
30+
- Tightened local runtime-matrix HTTP probes so they verify successful startup without downloading page bodies over loopback HTTP, resolving the CodeQL insecure-download alert while keeping stack verification intact.
2931

3032
## [0.3.4] - 2026-03-26
3133

docs/changelog.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,8 @@ Track what changed in DevForge CLI across releases, including scaffolding behavi
2929
- Improved installer UX by surfacing explicit progress steps before dependency installation and git setup begin.
3030
- Added pnpm build-approval hints for browser-oriented scaffolds so common `esbuild` installs no longer stop at an approval warning on fresh pnpm setups.
3131
- Updated generated Tailwind Vite scaffolds to use the current Tailwind package integration instead of writing unprocessed `@tailwind` directives without the required plugin setup.
32+
- Added explicit least-privilege `GITHUB_TOKEN` permissions to the CI workflow so CodeQL no longer flags the runtime matrix jobs for inheriting repository-default token access.
33+
- Tightened local runtime-matrix HTTP probes so they verify successful startup without downloading page bodies over loopback HTTP, resolving the CodeQL insecure-download alert while keeping stack verification intact.
3234

3335
## [0.3.4] - 2026-03-26
3436

src/runtime-matrix.ts

Lines changed: 7 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -300,27 +300,19 @@ async function stopProcess(processRef: StartedProcess): Promise<void> {
300300
await waitForProcessExit(processRef, 5_000);
301301
}
302302

303-
async function waitForHttpText(
304-
url: string,
305-
expectations: string[] = [],
306-
timeoutMs = 30_000,
307-
): Promise<string> {
303+
async function waitForHttpOk(url: string, timeoutMs = 30_000): Promise<void> {
308304
const startedAt = Date.now();
309305
let lastError: unknown;
310306

311307
while (Date.now() - startedAt < timeoutMs) {
312308
try {
313309
const response = await fetch(url);
314-
const body = await response.text();
315310

316-
if (response.ok && expectations.every((expectation) => body.includes(expectation))) {
317-
return body;
311+
if (response.ok) {
312+
return;
318313
}
319314

320-
lastError =
321-
response.ok
322-
? new Error(`Unexpected HTTP response body from ${url}`)
323-
: new Error(`Unexpected HTTP response from ${url}: ${response.status} ${response.statusText}`);
315+
lastError = new Error(`Unexpected HTTP response from ${url}: ${response.status} ${response.statusText}`);
324316
} catch (error) {
325317
lastError = error;
326318
}
@@ -376,7 +368,6 @@ async function verifyHttpRuntime(
376368
env?: Record<string, string | undefined>;
377369
path?: string;
378370
},
379-
expectations: string[] = [],
380371
): Promise<void> {
381372
const cwd = command.cwd ? join(context.targetDir, command.cwd) : context.targetDir;
382373
const started = startProcess(command.command, command.args, cwd, {
@@ -386,10 +377,7 @@ async function verifyHttpRuntime(
386377
});
387378

388379
try {
389-
await waitForHttpText(
390-
`http://127.0.0.1:${context.port}${command.path ?? "/"}`,
391-
expectations,
392-
);
380+
await waitForHttpOk(`http://127.0.0.1:${context.port}${command.path ?? "/"}`);
393381
} catch (error) {
394382
throw new Error(
395383
[
@@ -406,7 +394,6 @@ async function verifyHttpRuntime(
406394
async function verifyPreviewRuntime(
407395
context: ScenarioExecutionContext,
408396
previewCommand: { cwd?: string; args: string[]; env?: Record<string, string | undefined> },
409-
expectations: string[] = [],
410397
): Promise<void> {
411398
await verifyHttpRuntime(
412399
context,
@@ -416,7 +403,6 @@ async function verifyPreviewRuntime(
416403
args: ["run", ...previewCommand.args],
417404
env: previewCommand.env,
418405
},
419-
expectations,
420406
);
421407
}
422408

@@ -427,14 +413,14 @@ async function verifyScriptRuntime(
427413
script: string;
428414
env?: Record<string, string | undefined>;
429415
},
430-
targets: Array<{ url: string; expectations?: string[] }>,
416+
targets: Array<{ url: string }>,
431417
): Promise<void> {
432418
const cwd = command.cwd ? join(context.targetDir, command.cwd) : context.targetDir;
433419
const started = startProcess("npm", ["run", command.script], cwd, command.env);
434420

435421
try {
436422
for (const target of targets) {
437-
await waitForHttpText(target.url, target.expectations ?? []);
423+
await waitForHttpOk(target.url);
438424
}
439425
} catch (error) {
440426
throw new Error(
@@ -564,7 +550,6 @@ export const runtimeScenarios: RuntimeScenario[] = [
564550
{
565551
args: ["preview", "--", "--host", "127.0.0.1", "--port", String(context.port)],
566552
},
567-
[],
568553
);
569554
},
570555
},
@@ -590,7 +575,6 @@ export const runtimeScenarios: RuntimeScenario[] = [
590575
{
591576
args: ["start", "--", "--hostname", "127.0.0.1", "--port", String(context.port)],
592577
},
593-
[],
594578
);
595579
},
596580
},
@@ -616,7 +600,6 @@ export const runtimeScenarios: RuntimeScenario[] = [
616600
{
617601
args: ["preview", "--", "--host", "127.0.0.1", "--port", String(context.port)],
618602
},
619-
[],
620603
);
621604
},
622605
},
@@ -642,7 +625,6 @@ export const runtimeScenarios: RuntimeScenario[] = [
642625
{
643626
args: ["preview", "--", "--host", "127.0.0.1", "--port", String(context.port)],
644627
},
645-
[],
646628
);
647629
},
648630
},
@@ -675,7 +657,6 @@ export const runtimeScenarios: RuntimeScenario[] = [
675657
NITRO_PORT: String(context.port),
676658
},
677659
},
678-
[],
679660
);
680661
},
681662
},
@@ -701,7 +682,6 @@ export const runtimeScenarios: RuntimeScenario[] = [
701682
{
702683
args: ["preview", "--", "--host", "127.0.0.1", "--port", String(context.port)],
703684
},
704-
[],
705685
);
706686
},
707687
},
@@ -727,7 +707,6 @@ export const runtimeScenarios: RuntimeScenario[] = [
727707
{
728708
args: ["preview", "--", "--host", "127.0.0.1", "--port", String(context.port)],
729709
},
730-
[],
731710
);
732711
},
733712
},

0 commit comments

Comments
 (0)