Skip to content

Main to develop #5170

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Pyatakov wants to merge 16 commits into from
Closed

Main to develop #5170

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
90a73d4
Merging develop into main for v3.2.0 release (#4954)
Pyatakov May 19, 2025
a9596a8
VM0047 for DLT Earth Hackathon (#4960)
ilyozzz May 21, 2025
9fcca49
ci: fix tab sizing (#4969)
andrewb1269 Jun 2, 2025
99f8744
ci: switch to self hosted runners (#4967)
andrewb1269 Jun 2, 2025
c12e89c
Gitbook and roadmap updates (#4994)
Pyatakov Jun 6, 2025
e0c42e9
Update api-schedule.yml (#4995)
Pyatakov Jun 6, 2025
735e5e4
Docs update (#5017)
Pyatakov Jun 17, 2025
07c3e12
Updated links (#5023)
Pyatakov Jun 18, 2025
a601756
WinCL Pull Request (#5024)
maxswd-wincl Jun 23, 2025
40a12d1
Update readMe.md of GHGP policy docs (#5057)
prernaadev01 Jul 1, 2025
6a95cbd
GITBOOK-331: roadmap fixes (#5059)
Pyatakov Jul 2, 2025
77f4da9
Removed ACR folder (#5085)
Pyatakov Jul 7, 2025
ee67089
GITBOOK-333: removed ACR docs (#5086)
Pyatakov Jul 8, 2025
bea14c9
GITBOOK-337: updated roadmap links (#5096)
Pyatakov Jul 10, 2025
a05d677
chore: Add flow-pull-request-formatting.yaml (#5138)
rbarker-dev Jul 21, 2025
54ce821
chore: [StepSecurity] Apply security best practicesSigned-off-by: Ste…
stepsecurity-app[bot] Jul 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
4 changes: 2 additions & 2 deletions .github/workflows/add-documentation-to-repo.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 #v4.4.0
with:
node-version: ${{ matrix.node-version }}

Expand All @@ -49,7 +49,7 @@ jobs:
git checkout "${GITHUB_REF:11}"

- name: Start MongoDB
uses: step-security/mongodb-github-action@0b5e704ee1061d729c20e0df4204e69ba6ac6cee # v1.11.1
uses: step-security/mongodb-github-action@3160045518552049fae7e4ab834ad6f04836da49 # v1.12.0
with:
mongodb-version: ${{ matrix.mongodb-version }}

Expand Down
286 changes: 143 additions & 143 deletions .github/workflows/api-after-commit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,157 +1,157 @@
name: Guardian CI API Tests(after commit)
on:
push:
branches-ignore:
- 'dependabot/**'
push:
branches-ignore:
- 'dependabot/**'

jobs:
buildAndTest:
name: Build and Test
runs-on: ubuntu-latest
services:
cache:
image: registry.redict.io/redict
ports:
- 6379:6379
strategy:
matrix:
node-version: [ 20.18.1 ]
mongodb-version: [ 7.0.5 ]
steps:
- name: Harden Runner
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
buildAndTest:
name: Build and Test
runs-on: guardian-linux-medium
services:
cache:
image: registry.redict.io/redict
ports:
- 6379:6379
strategy:
matrix:
node-version: [ 20.18.1 ]
mongodb-version: [ 7.0.5 ]
steps:
- name: Harden Runner
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit

- name: Checkout Code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Checkout Code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0
with:
node-version: ${{ matrix.node-version }}
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 #v4.4.0
with:
node-version: ${{ matrix.node-version }}

- name: Setup Yarn
uses: Borales/actions-yarn@3766bb1335b98fb13c60eaf358fe20811b730a88 # v5.0.0
with:
cmd: install
- name: Setup Yarn
uses: Borales/actions-yarn@3766bb1335b98fb13c60eaf358fe20811b730a88 # v5.0.0
with:
cmd: install

- name: Install dependencies
run: yarn install
- name: Install dependencies
run: yarn install

- name: Build packages
run: |
# sudo apt-get update
# sudo apt-get install -y libgtk2.0-0 libgtk-3-0 libgbm-dev libnotify-dev libnss3 libxss1 libasound2 libxtst6 xauth xvfb
pushd interfaces
yarn run build
popd
pushd common
yarn run build
popd
pushd notification-service
yarn run build
popd
pushd logger-service
yarn run build
popd
pushd auth-service
yarn run build
popd
pushd queue-service
yarn run build
popd
pushd topic-listener-service
yarn run build
popd
pushd guardian-service
yarn run build
popd
pushd policy-service
yarn run build
popd
pushd worker-service
yarn run build
popd
pushd api-gateway
yarn run build
popd
- name: Build packages
run: |
# sudo apt-get update
# sudo apt-get install -y libgtk2.0-0 libgtk-3-0 libgbm-dev libnotify-dev libnss3 libxss1 libasound2 libxtst6 xauth xvfb
pushd interfaces
yarn run build
popd
pushd common
yarn run build
popd
pushd notification-service
yarn run build
popd
pushd logger-service
yarn run build
popd
pushd auth-service
yarn run build
popd
pushd queue-service
yarn run build
popd
pushd topic-listener-service
yarn run build
popd
pushd guardian-service
yarn run build
popd
pushd policy-service
yarn run build
popd
pushd worker-service
yarn run build
popd
pushd api-gateway
yarn run build
popd

- name: Start NatsMQ
uses: step-security/nats-action@0306fc1c4e4f49dbe4db5865a3135ab1516a5aee # v0.1.0
with:
port: '4222'
- name: Start NatsMQ
uses: step-security/nats-action@0306fc1c4e4f49dbe4db5865a3135ab1516a5aee # v0.1.0
with:
port: '4222'

- name: Start MongoDB
uses: step-security/mongodb-github-action@0b5e704ee1061d729c20e0df4204e69ba6ac6cee # v1.11.1
with:
mongodb-version: ${{ matrix.mongodb-version }}
- name: Start MongoDB
uses: step-security/mongodb-github-action@3160045518552049fae7e4ab834ad6f04836da49 # v1.12.0
with:
mongodb-version: ${{ matrix.mongodb-version }}

- name: Run Guardian
run: |
pushd notification-service
npm start &
sleep 20
popd
pushd logger-service
npm start &
sleep 20
popd
pushd auth-service
npm start &
sleep 20
popd
pushd guardian-service
npm start &
sleep 20
popd
pushd policy-service
npm start &
sleep 20
popd
pushd queue-service
npm start &
sleep 20
popd
pushd topic-listener-service
npm start &
sleep 20
popd
pushd worker-service
npm start &
npm start &
npm start &
npm start &
npm start &
sleep 20
popd
pushd api-gateway
npm start &
sleep 20
popd
sleep 60
env:
CI: true
OPERATOR_ID: ${{ secrets.CI_HEDERA_ACCOUNT }}
OPERATOR_KEY: ${{ secrets.CI_HEDERA_PRIV_KEY }}
JWT_PRIVATE_KEY: ${{ secrets.CI_JWT_PRIVATE_KEY }}
JWT_PUBLIC_KEY: ${{ secrets.CI_JWT_PUBLIC_KEY }}
IPFS_NODE_ADDRESS: http://localhost:5001
IPFS_PROVIDER: web3storage
IPFS_PUBLIC_GATEWAY: https://dweb.link/ipfs/${cid}
IPFS_STORAGE_KEY: ${{ secrets.E2E_IPFS_STORAGE_KEY }}
IPFS_STORAGE_PROOF: ${{ secrets.E2E_IPFS_STORAGE_PROOF }}
ACCESS_TOKEN_UPDATE_INTERVAL: 600000
- name: Run Guardian
run: |
pushd notification-service
npm start &
sleep 20
popd
pushd logger-service
npm start &
sleep 20
popd
pushd auth-service
npm start &
sleep 20
popd
pushd guardian-service
npm start &
sleep 20
popd
pushd policy-service
npm start &
sleep 20
popd
pushd queue-service
npm start &
sleep 20
popd
pushd topic-listener-service
npm start &
sleep 20
popd
pushd worker-service
npm start &
npm start &
npm start &
npm start &
npm start &
sleep 20
popd
pushd api-gateway
npm start &
sleep 20
popd
sleep 60
env:
CI: true
OPERATOR_ID: ${{ secrets.CI_HEDERA_ACCOUNT }}
OPERATOR_KEY: ${{ secrets.CI_HEDERA_PRIV_KEY }}
JWT_PRIVATE_KEY: ${{ secrets.CI_JWT_PRIVATE_KEY }}
JWT_PUBLIC_KEY: ${{ secrets.CI_JWT_PUBLIC_KEY }}
IPFS_NODE_ADDRESS: http://localhost:5001
IPFS_PROVIDER: web3storage
IPFS_PUBLIC_GATEWAY: https://dweb.link/ipfs/${cid}
IPFS_STORAGE_KEY: ${{ secrets.E2E_IPFS_STORAGE_KEY }}
IPFS_STORAGE_PROOF: ${{ secrets.E2E_IPFS_STORAGE_PROOF }}
ACCESS_TOKEN_UPDATE_INTERVAL: 600000

- name: Run tests with Cypress
run: |
pushd e2e-tests
npm install
npx cypress run --env "portApi=3002,operatorId=${{ secrets.CI_HEDERA_ACCOUNT }},operatorKey=${{ secrets.CI_HEDERA_PRIV_KEY }},grepTags=smoke,grepFilterSpecs=true" --spec "cypress/e2e/api-tests/**/*.cy.js" --browser chrome
popd
- name: Run tests with Cypress
run: |
pushd e2e-tests
npm install
npx cypress run --env "portApi=3002,operatorId=${{ secrets.CI_HEDERA_ACCOUNT }},operatorKey=${{ secrets.CI_HEDERA_PRIV_KEY }},grepTags=smoke,grepFilterSpecs=true" --spec "cypress/e2e/api-tests/**/*.cy.js" --browser chrome
popd

- name: Publish API Test Results
uses: step-security/publish-unit-test-result-action@cc82caac074385ae176d39d2d143ad05e1130b2d # v2.18.0
if: always()
with:
files: e2e-tests/cypress/test_results/**/*.xml
- name: Publish API Test Results
uses: step-security/publish-unit-test-result-action@cc82caac074385ae176d39d2d143ad05e1130b2d # v2.18.0
if: always()
with:
files: e2e-tests/cypress/test_results/**/*.xml
Comment on lines +9 to +157

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 9 months ago

To fix the problem, add a permissions block to the workflow file. This can be done at the top level (applies to all jobs) or at the job level (applies to a specific job). Since there is only one job (buildAndTest), either location is acceptable, but adding it at the top level is clearer and future-proof. The minimal permission required for most CI workflows is contents: read, unless a step requires more (e.g., publishing releases, creating issues). Review of the workflow steps shows no need for write access, so contents: read is sufficient. The permissions block should be added after the name and on keys, before jobs.

What to change:

  • In .github/workflows/api-after-commit.yml, add the following block after the name and before on: 
    permissions:
  contents: read
  • No new imports, methods, or definitions are needed.
Suggested changeset 1
.github/workflows/api-after-commit.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/api-after-commit.yml b/.github/workflows/api-after-commit.yml
--- a/.github/workflows/api-after-commit.yml
+++ b/.github/workflows/api-after-commit.yml
@@ -1,2 +1,4 @@
 name: Guardian CI API Tests(after commit)
+permissions:
+  contents: read
 on:
EOF
@@ -1,2 +1,4 @@
name: Guardian CI API Tests(after commit)
permissions:
contents: read
on:
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Loading
Loading