Back port of documentation changes to main#4131
Back port of documentation changes to main#4131github-actions[bot] wants to merge 5 commits intomainfrom
Conversation
- Scala 2.12 and 2.13 suites will now only run on JVM and Linux - Scala 3.3 LTS suites will now only run on JVM, Linux, MacOS Aarch64 and Windows (cherry picked from commit 6d9a1d3)
- `*-1` (group 1: default Scala) becomes `*-default` - `*-2` (group 2: Scala 2.13) becomes `*-scala-2-13` - `*-3` (group 3: Scala 2.12) becomes `*-scala-2-12` - `*-4` (group 4: Scala 3 LTS) becomes `*-lts` - `*-5` (group 5: Scala 3 Next RC) becomes `*-rc` - `*macos-m1*` becomes `macos-arm64` (cherry picked from commit e6b6bd9)
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
.github/workflows/ci.yml
Outdated
| @@ -812,7 +738,7 @@ jobs: | |||
| run: scala-cli -e 'assert(System.getProperty("os.arch") == "aarch64")' | |||
| - uses: actions/download-artifact@v7 | |||
| with: | |||
| name: macos-m1-launchers | |||
| name: macos-arm64-launchers | |||
| path: artifacts/ | |||
| - name: Native integration tests | |||
| run: ./mill -i nativeIntegrationTests | |||
| @@ -823,12 +749,12 @@ jobs: | |||
| SCALA_CLI_SODIUM_JNI_ALLOW: false | |||
| - name: Convert Mill test reports to JUnit XML format | |||
| if: success() || failure() | |||
| run: .github/scripts/generate-junit-reports.sc macos-m1-tests-5 'Scala CLI MacOS M1 Tests (5)' test-report.xml out/ | |||
| run: .github/scripts/generate-junit-reports.sc macos-arm64-tests-rc 'Scala CLI MacOS ARM64 Tests (5)' test-report.xml out/ | |||
| - name: Upload test report | |||
| uses: actions/upload-artifact@v6 | |||
| if: success() || failure() | |||
| with: | |||
| name: test-results-macos-m1-tests-5 | |||
| name: test-results-macos-arm64-tests-rc | |||
| path: test-report.xml | |||
|
|
|||
| generate-windows-launcher: | |||
| @@ -866,7 +792,7 @@ jobs: | |||
| if-no-files-found: error | |||
| retention-days: 2 | |||
|
|
|||
| native-windows-tests-1: | |||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 7 hours ago
In general, the problem is fixed by explicitly setting a permissions: block to restrict GITHUB_TOKEN to the least privileges required, instead of inheriting repository/organization defaults. For a CI workflow that only checks out code, runs builds/tests, and uploads/downloads artifacts, contents: read is typically sufficient. If some other jobs in this workflow need more (e.g., contents: write, packages: write, pull-requests: write), they can override permissions on a per-job basis.
The best fix here, without changing functionality, is to add a single top-level permissions: block near the top of .github/workflows/ci.yml, immediately after the name: line (or after the on: block), specifying minimal read-only access, for example:
permissions:
contents: readThis will apply to all jobs that don’t define their own permissions:, including native-macos-arm64-tests-default (line 649) and its related jobs. The shown steps (checkout, Scala CLI setup, artifact upload/download, shell scripts, and use of secrets.GITHUB_TOKEN as a plain environment variable) do not require write access to the repository via the GitHub API, so contents: read is safe and sufficient. No additional methods, imports, or external libraries are needed—only this YAML change.
Concretely:
- Edit
.github/workflows/ci.yml. - Insert a top-level
permissions:block withcontents: readright after line 1 (name: CI) and before theon:section (or just afteron:; both are valid as long as indentation shows it’s top level). - Leave all existing job definitions and steps unchanged.
| @@ -1,4 +1,6 @@ | ||
| name: CI | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| push: | ||
| branches: |
.github/workflows/ci.yml
Outdated
| @@ -1038,15 +874,15 @@ jobs: | |||
| SCALA_CLI_SODIUM_JNI_ALLOW: false | |||
| - name: Convert Mill test reports to JUnit XML format | |||
| if: success() || failure() | |||
| run: scala-cli shebang .github/scripts/generate-junit-reports.sc windows-tests-4 'Scala CLI Windows Tests (4)' test-report.xml out/ | |||
| run: scala-cli shebang .github/scripts/generate-junit-reports.sc windows-tests-lts 'Scala CLI Windows Tests (Scala 3 LTS)' test-report.xml out/ | |||
| - name: Upload test report | |||
| uses: actions/upload-artifact@v6 | |||
| if: success() || failure() | |||
| with: | |||
| name: test-results-windows-tests-4 | |||
| name: test-results-windows-tests-lts | |||
| path: test-report.xml | |||
|
|
|||
| native-windows-tests-5: | |||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 7 hours ago
In general: define an explicit permissions: block either at the workflow root (applies to all jobs) or per job, setting the minimal scopes needed. Since the shown jobs only read repository contents and use artifacts, a global contents: read (and letting GitHub’s defaults for other scopes remain read) is an appropriate baseline. If future jobs need additional rights, they can override permissions at the job level.
Best targeted fix here: add a workflow‑level permissions: section right after the on: block (lines 2–9). This will cover native-macos-arm64-tests-rc (line 723) and all other jobs that don’t explicitly override permissions. Use the least‑privilege baseline suggested by CodeQL: contents: read. No other code or imports are needed, and this does not change any job steps or behavior, only the implicit GITHUB_TOKEN capabilities.
Concretely:
-
Edit
.github/workflows/ci.yml. -
After the
on:section (after line 9:workflow_dispatch:), insert:permissions: contents: read
-
Leave all jobs (
native-macos-arm64-tests-lts,native-macos-arm64-tests-rc,generate-windows-launcher, etc.) unchanged.
| @@ -8,6 +8,9 @@ | ||
| pull_request: | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: ${{ github.ref }} | ||
| cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} |
2 participants
No description provided.