Skip to content

ci: update workflow #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
pmarusz wants to merge 1 commit into from
Closed

ci: update workflow #7

pmarusz wants to merge 1 commit into from

Conversation

@pmarusz
Copy link
Contributor

@pmarusz pmarusz commented Sep 16, 2025

No description provided.

Copilot AI review requested due to automatic review settings September 16, 2025 12:54
Copilot AI reviewed Sep 16, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request updates GitHub Actions workflows to use centralized workflow files from the intel/mfd repository instead of local implementations. The changes streamline CI/CD processes by leveraging reusable workflows while maintaining the same functionality for testing, building, and code quality checks.

  • Replaced local workflow implementations with calls to centralized workflows in intel/mfd/.github/workflows/
  • Added new workflow files for dependency review, PR format validation, and code standard checking
  • Updated workflow parameters to match the new centralized workflow interfaces

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/workflows/run_tests.yml New workflow calling centralized test runner with matrix strategy for OS and Python versions
.github/workflows/pull_request.yml New workflow for PR builds using centralized build workflow
.github/workflows/manual_release.yml Simplified release workflow using centralized release process with updated matrix configuration
.github/workflows/main.yml New main branch CI workflow using centralized build process
.github/workflows/dependency_review.yml New workflow for dependency security review
.github/workflows/codeql.yml Simplified CodeQL workflow using centralized analysis with language matrix
.github/workflows/check_pr_format.yml New workflow for PR title and commit validation
.github/workflows/check_code_standard.yml New workflow for code quality standard checks
.github/dependency_review.yml Configuration file for dependency review settings
.github/dependabot.yml Configuration for automated dependency updates

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 16, 2025
View reviewed changes
.github/workflows/check_pr_format.yml
Comment on lines +9 to +12
uses: intel/mfd/.github/workflows/check_pr_format.yml@main
with:
REPOSITORY_NAME: ${{ github.event.pull_request.head.repo.full_name }}
BRANCH_NAME: ${{ github.head_ref }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 4 months ago

To fix the problem, you should explicitly specify the minimal permissions required at either the workflow or job level. Since the workflow check_pr_format.yml only delegates to a reusable workflow, it is best to set the permissions at the top/root level to ensure coverage for all jobs (unless individual jobs need different permissions, which is not indicated here). For pull request validation tasks, contents: read is generally sufficient unless the reusable workflow requires additional privileges (such as pull-requests: write). Absent further evidence, the minimal safe default is to set contents: read. Add the following lines near the top of the workflow, after the name: and before on: keys:

permissions:
  contents: read

If needed, you can adjust the permissions later based on actual requirements of the workflow.

Suggested changeset 1
.github/workflows/check_pr_format.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/check_pr_format.yml b/.github/workflows/check_pr_format.yml
--- a/.github/workflows/check_pr_format.yml
+++ b/.github/workflows/check_pr_format.yml
@@ -1,4 +1,6 @@
 name: Title + Commit Validation
+permissions:
+  contents: read
 
 on:
   pull_request:
EOF
@@ -1,4 +1,6 @@
name: Title + Commit Validation
permissions:
contents: read

on:
pull_request:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/dependency_review.yml

jobs:
dependency_review:
uses: intel/mfd/.github/workflows/dependency_review.yml@main

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 4 months ago

To fix this issue, you should explicitly set the permissions block at the top level of the workflow file (recommended) or at the job level. Since this workflow simply calls a reusable workflow and does not appear to require more than read-only permissions, you should set the permissions to the least privilege required, typically contents: read. If you know that the called workflow requires more permissions (such as for PRs), you may add those specifically. Place the following block at the top level (just after name: and before on:):

permissions:
  contents: read

Edit .github/workflows/dependency_review.yml and insert the above block after the name: line (line 2).

Suggested changeset 1
.github/workflows/dependency_review.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/dependency_review.yml b/.github/workflows/dependency_review.yml
--- a/.github/workflows/dependency_review.yml
+++ b/.github/workflows/dependency_review.yml
@@ -1,4 +1,6 @@
 name: Dependency Review
+permissions:
+  contents: read
 
 on:
   pull_request:
EOF
@@ -1,4 +1,6 @@
name: Dependency Review
permissions:
contents: read

on:
pull_request:
Copilot is powered by AI and may make mistakes. Always verify output.
@intel intel deleted a comment from mfd-intel-bot Sep 16, 2025
@intel intel deleted a comment from mfd-intel-bot Sep 16, 2025
@intel intel deleted a comment from mfd-intel-bot Sep 16, 2025
@intel intel deleted a comment from mfd-intel-bot Sep 16, 2025
@pmarusz pmarusz closed this Sep 16, 2025
@pmarusz pmarusz reopened this Sep 19, 2025
@pmarusz pmarusz force-pushed the update-workflow branch 3 times, most recently from a92eeb3 to ad7be0d Compare September 19, 2025 08:17
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 19, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 19, 2025
View reviewed changes
@pmarusz pmarusz force-pushed the update-workflow branch 9 times, most recently from 4aa4ae9 to 59af696 Compare September 22, 2025 08:02
@pmarusz pmarusz force-pushed the update-workflow branch 3 times, most recently from e488d09 to b2f2cb3 Compare October 1, 2025 10:36
adrianlasota
adrianlasota reviewed Oct 1, 2025
View reviewed changes
mchromin
mchromin previously approved these changes Oct 1, 2025
View reviewed changes
mchromin
mchromin previously approved these changes Oct 2, 2025
View reviewed changes
adrianlasota
adrianlasota requested changes Oct 10, 2025
View reviewed changes
requirements-dev.txt Outdated
@@ -1 +1,2 @@
-r requirements-test.txt
-r requirements-test.txt
git+https://github.com/intel/mfd-code-quality.git@${GITHUB_HEAD_REF}
Copy link
Contributor

@adrianlasota adrianlasota Oct 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it doesn't work when we call pip install -r req-dev.txt for IDE purpose

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 13, 2025
View reviewed changes
.github/workflows/build_upload_whl.yml
Comment on lines 48 to 148
name: ${{ inputs.JOB_NAME }}
runs-on: ${{ inputs.RUNS_ON }}
steps:
- uses: actions/checkout@v4
with:
fetch-tags: true
fetch-depth: 0
path: ${{ inputs.SOURCE_PATH }}
ref: ${{ inputs.BRANCH_NAME }}
repository: ${{ inputs.REPOSITORY_NAME }}

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ inputs.PYTHON_VERSION }}
cache: 'pip'

- name: Version bumping
id: VERSION_BUMP
if: inputs.RELEASE_BUILD == true
env:
GIT_AUTHOR_NAME: ${{ inputs.GIT_USER }}
GIT_AUTHOR_EMAIL: ${{ inputs.GIT_EMAIL }}
GIT_COMMITTER_NAME: ${{ inputs.GIT_USER }}
GIT_COMMITTER_EMAIL: ${{ inputs.GIT_EMAIL }}
shell: bash
run: |
python -m pip install --upgrade pip
python -m venv bump_version
source bump_version/bin/activate
pip install python-semantic-release~=10.2
pip install -r ${{ inputs.SOURCE_PATH }}/requirements-dev.txt
pip install ./${{ inputs.SOURCE_PATH }}
mfd-create-config-files --project-dir ./${{ inputs.SOURCE_PATH }}
cd ${{ inputs.SOURCE_PATH }}
version_after_bump=$(semantic-release version --print | tail -n 1 | tr -d '\n')
version_from_tag=$(git describe --tags --abbrev=0 | tr -d '\n' | sed 's/^v//')
echo "Version after semantic-release bump is: ${version_after_bump}"
echo "Version from tag: ${version_from_tag}"
# Only check version equality if RELEASE_BUILD is true
if [ "${{ inputs.RELEASE_BUILD }}" == "true" ]; then
if [ "$version_after_bump" == "$version_from_tag" ]; then
echo "Version would not change: version_after_bump=${version_after_bump}, version_from_tag=${version_from_tag}"
exit 1
fi
fi
semantic-release version --no-push --no-vcs-release
cat pyproject.toml
echo "version_after_bump=v${version_after_bump}" >> $GITHUB_OUTPUT
- name: Create virtual environment for whl creation
shell: bash
- name: Show python version
run: python --version

- name: Run mfd-create-config-files
run: |
python -m venv whl_creation
source whl_creation/bin/activate
pip install build==1.2.2.post1
cd ${{ inputs.SOURCE_PATH }}
../whl_creation/bin/python -m build --wheel --outdir ../whl_creation/dist
ls -l ../whl_creation/dist
pip install -r requirements-dev.txt
pip install .
mfd-create-config-files --project-dir .
- name: Determine if unit and functional tests should run
id: test_check
shell: bash
- name: Check if bump version is expected
run: |
REPO_NAME=$(echo "${{ inputs.PROJECT_NAME }}")
echo "Repository name extracted: $REPO_NAME"
if [ "${{ inputs.RELEASE_BUILD }}" = "false" ]; then
COMMIT_MSG=$(git log -1 --pretty=%B)
UNIT_TEST_DIR="${{ inputs.SOURCE_PATH }}/tests/unit/test_$(echo "${REPO_NAME}" | tr '-' '_')"
FUNC_TEST_DIR="${{ inputs.SOURCE_PATH }}/tests/system/test_$(echo "${REPO_NAME}" | tr '-' '_')"
if [ -d "$UNIT_TEST_DIR" ]; then
echo "Unit tests directory exists: $UNIT_TEST_DIR"
echo "run_unit_tests=true" >> $GITHUB_OUTPUT
else
echo "Unit tests directory does not exist: $UNIT_TEST_DIR"
echo "run_unit_tests=false" >> $GITHUB_OUTPUT
fi
if [ -d "$FUNC_TEST_DIR" ]; then
echo "Functional tests directory exists: $FUNC_TEST_DIR"
echo "run_functional_tests=true" >> $GITHUB_OUTPUT
if echo "$COMMIT_MSG" | grep -Ei '^(docs|build|test|ci|refactor|perf|chore|revert):\s'; then
echo "CREATE_WHL=false" >> $GITHUB_ENV
echo "No version bump needed for commit message: $COMMIT_MSG, ending job"
else
echo "CREATE_WHL=true" >> $GITHUB_ENV
echo "Version bump needed for commit message: $COMMIT_MSG, continuing job"
fi
else
echo "Functional tests directory does not exist: $FUNC_TEST_DIR"
echo "run_functional_tests=false" >> $GITHUB_OUTPUT
echo "Skipping potential bump version check for release build"
echo "CREATE_WHL=true" >> $GITHUB_ENV
fi
- name: Install dependencies for tests
if: steps.test_check.outputs.run_unit_tests == 'true' || steps.test_check.outputs.run_functional_tests == 'true'
shell: bash
run: |
python -m venv test_env
source test_env/bin/activate
python -m pip install -r "${{ inputs.SOURCE_PATH }}/requirements.txt" -r "${{ inputs.SOURCE_PATH }}/requirements-test.txt" -r "${{ inputs.SOURCE_PATH }}/requirements-dev.txt"
python -m pip install ./${{ inputs.SOURCE_PATH }}
- name: Run python-semantic-release without version bump - force patch bump
if: env.CREATE_WHL == 'false'
uses: python-semantic-release/python-semantic-release@v10.3.1
with:
build: true
vcs_release: false
push: false
strict: true
force: patch

- name: Run unit tests if test directory exists
if: steps.test_check.outputs.run_unit_tests == 'true'
shell: bash
run: |
source test_env/bin/activate
mfd-unit-tests --project-dir ${{ github.workspace }}/${{ inputs.SOURCE_PATH }}
- name: Run python-semantic-release
if: env.CREATE_WHL == 'true'
uses: python-semantic-release/python-semantic-release@v10.3.1
with:
build: true
vcs_release: false
push: false
strict: true

- name: Run functional tests if test directory exists
if: steps.test_check.outputs.run_functional_tests == 'true'
- name: Check if .whl is installable
shell: bash
run: |
source test_env/bin/activate
mfd-system-tests --project-dir ${{ github.workspace }}/${{ inputs.SOURCE_PATH }}
python -m pip install dist/*.whl
- name: Publish package distributions to PyPI
if: ${{ inputs.RELEASE_BUILD == true && inputs.UPLOAD_PACKAGE == true }}
if: ${{ inputs.RELEASE_BUILD == true && inputs.RELEASE_STEPS == true }}
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: 'whl_creation/dist'
packages-dir: 'dist'
password: ${{ secrets.PYPI_TOKEN }}

- name: Publish comment how to build .whl
if: inputs.RELEASE_BUILD == false
if: inputs.RELEASE_BUILD == false && (github.event.pull_request != null && github.event.pull_request.head.repo.full_name == github.repository) # skip for forks
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GH_TOKEN }}
script: |
const prNumber = context.payload.pull_request.number;
const commentBody = "We don't publish DEVs .whl.\n To build .whl, run 'pip install git+https://github.com/${{ inputs.REPOSITORY_NAME }}@${{ inputs.BRANCH_NAME }}'";
await github.rest.issues.createComment({
const commentBody = "We don't publish DEVs .whl.\n To build .whl, run 'pip install git+https://${{ inputs.REPOSITORY_NAME }}@${{ inputs.BRANCH_NAME }}'";
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: prNumber,
body: commentBody
});
- name: Push git tag after version bump
if: ${{ inputs.RELEASE_BUILD == true && inputs.PUSH_TAG == true }}
shell: bash
env:
GIT_AUTHOR_NAME: ${{ inputs.GIT_USER }}
GIT_AUTHOR_EMAIL: ${{ inputs.GIT_EMAIL }}
GIT_COMMITTER_NAME: ${{ inputs.GIT_USER }}
GIT_COMMITTER_EMAIL: ${{ inputs.GIT_EMAIL }}
version_after_bump: ${{ steps.VERSION_BUMP.outputs.version_after_bump }}
run: |
cd ${{ inputs.SOURCE_PATH }}
git push origin "${version_after_bump}"
const alreadyCommented = comments.some(comment => comment.body === commentBody);
if (!alreadyCommented) {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: prNumber,
body: commentBody
});

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

The best way to fix this problem is to add an explicit permissions block to the workflow. For a reusable workflow like this, placing it at the workflow root (just after the on: block and before jobs) ensures all jobs inherit these default least-privilege permissions unless overridden.
The workflow steps do not need repository write access, but they do interact with pull requests (commenting), which requires pull-requests: write. Most other steps (checkout, reading code, uploading to PyPI) only require contents: read.
Implementation:
Edit .github/workflows/build_upload_whl.yml and, after the name and on: sections (e.g., right before jobs: at line 49), add:

permissions:
  contents: read
  pull-requests: write

This reduces GitHub token permissions to the minimum needed for the workflow: read access to repository contents and write access to pull request comments.

Suggested changeset 1
.github/workflows/build_upload_whl.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build_upload_whl.yml b/.github/workflows/build_upload_whl.yml
--- a/.github/workflows/build_upload_whl.yml
+++ b/.github/workflows/build_upload_whl.yml
@@ -47,6 +47,9 @@
         default: 'build_whl'
         type: string
 
+permissions:
+  contents: read
+  pull-requests: write
 jobs:
   build_whl:
     name: ${{ inputs.JOB_NAME }}
EOF
@@ -47,6 +47,9 @@
default: 'build_whl'
type: string

permissions:
contents: read
pull-requests: write
jobs:
build_whl:
name: ${{ inputs.JOB_NAME }}
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/main.yml
Comment on lines +10 to +23
strategy:
fail-fast: false
matrix:
python_version: ['3.10', '3.13']
if: github.actor != 'mfd-intel-bot'
uses: ./.github/workflows/build_upload_whl.yml
secrets:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
with:
REPOSITORY_NAME: ${{ github.repository }}
BRANCH_NAME: ${{ github.ref_name }}
PYTHON_VERSION: ${{ matrix.python_version }}
RELEASE_BUILD: true
PROJECT_NAME: 'mfd-code-quality'

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 4 months ago

To fix this problem, add a permissions block specifying least-privilege required for the job. This can be done either for the whole workflow (top-level root, right after name: and before on:) or per job (under the job definition). For maintainability and clarity, setting it at the root is recommended unless individual jobs need different permissions.

The minimal starting point is permissions: {} (which gives no access); in practice, you should grant only the privilege needed, such as contents: read, and more only if needed (e.g., issues: write, pull-requests: write). If the workflow only needs read access, use contents: read. If it uploads to releases or creates pull requests, add necessary write scopes.

Where to change:
Insert a permissions: block after name: CI Build (line 1).
If you later discover a job needs more privs, adjust accordingly.

Suggested changeset 1
.github/workflows/main.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,4 +1,6 @@
 name: CI Build
+permissions:
+  contents: read
 
 on:
   push:
EOF
@@ -1,4 +1,6 @@
name: CI Build
permissions:
contents: read

on:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/run_tests.yml
Comment on lines 29 to 54
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest]
python_version: ['3.10', '3.13']
runs-on: "ubuntu-latest"
outputs:
run_unit_tests: ${{ steps.tests_path_existence.outputs.run_unit_tests }}
run_functional_tests: ${{ steps.tests_path_existence.outputs.run_functional_tests }}
steps:
- name: Checkout this repository
uses: actions/checkout@v4
with:
path: ${{ inputs.SOURCE_PATH }}
- name: Determine if unit and functional tests should run
id: tests_path_existence
shell: bash
run: |
UNIT_TEST_DIR="${{ inputs.SOURCE_PATH }}/tests/unit/test_$(echo "${{ inputs.PROJECT_NAME }}" | tr '-' '_')"
FUNC_TEST_DIR="${{ inputs.SOURCE_PATH }}/tests/system/test_$(echo "${{ inputs.PROJECT_NAME }}" | tr '-' '_')"
if [ -d "$UNIT_TEST_DIR" ]; then
echo "Unit tests directory exists: $UNIT_TEST_DIR"
echo "run_unit_tests=true" >> $GITHUB_OUTPUT
else
echo "Unit tests directory does not exist: $UNIT_TEST_DIR"
echo "run_unit_tests=false" >> $GITHUB_OUTPUT
fi
if [ -d "$FUNC_TEST_DIR" ]; then
echo "Functional tests directory exists: $FUNC_TEST_DIR"
echo "run_functional_tests=true" >> $GITHUB_OUTPUT
else
echo "Functional tests directory does not exist: $FUNC_TEST_DIR"
echo "run_functional_tests=false" >> $GITHUB_OUTPUT
fi
run_ft_tests:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

To fix the problem, add an explicit permissions: block at the top/root of the workflow (just after the name: or after the on: block but before jobs:), specifying the minimal access rights required. In this case, as all jobs fetch code and possibly post to Coveralls, the minimal required permission is likely contents: read. This will enforce the principle of least privilege for all jobs in the workflow (get_tests_to_run, run_ft_tests, and run_ut_tests). Coveralls may require additional permissions for advanced features, but for badge generation and status posting it only needs contents: read unless otherwise documented.

No further code or import changes are required outside of adding this permissions YAML block.

Suggested changeset 1
.github/workflows/run_tests.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/run_tests.yml b/.github/workflows/run_tests.yml
--- a/.github/workflows/run_tests.yml
+++ b/.github/workflows/run_tests.yml
@@ -1,5 +1,8 @@
 name: Run Tests (ut + ft)
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     types: [opened, synchronize]
EOF
@@ -1,5 +1,8 @@
name: Run Tests (ut + ft)

permissions:
contents: read

on:
pull_request:
types: [opened, synchronize]
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/run_tests.yml
Comment on lines 67 to 79
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest]
python_version: ['3.10', '3.13']
name: run_ft_tests_${{ matrix.os }}
needs: get_tests_to_run
if: ${{ needs.get_tests_to_run.outputs.run_functional_tests == 'true' }}
runs-on: ${{ matrix.os }}
steps:
- name: Checkout this repository
uses: actions/checkout@v4
with:
path: current_repo
- uses: ./current_repo/.github/prepare_test_env
with:
PYTHON_VERSION: ${{ matrix.python_version }}
- name: Run Functional Tests
shell: bash
run: |
source ${{ inputs.VIRTUALENV_PATH }}/*/activate
pushd ${{ inputs.SOURCE_PATH }}
mfd-system-tests --project-dir .
run_ut_tests:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

To fix the problem, we should add an explicit permissions block limiting the GITHUB_TOKEN to the minimum necessary permissions. Since all the jobs listed (including running tests and reporting results to Coveralls) do not need write access to repository contents or metadata, we can set permissions: contents: read at the root of the workflow. This will apply to all jobs. If any individual job needs additional permissions in the future, those can be overridden within that job, but for now, root-level restriction is sufficient.

This change should be made by inserting a permissions: section after the name: (and before env: or jobs:) at the top of the workflow file .github/workflows/run_tests.yml.

Suggested changeset 1
.github/workflows/run_tests.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/run_tests.yml b/.github/workflows/run_tests.yml
--- a/.github/workflows/run_tests.yml
+++ b/.github/workflows/run_tests.yml
@@ -1,5 +1,8 @@
 name: Run Tests (ut + ft)
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     types: [opened, synchronize]
EOF
@@ -1,5 +1,8 @@
name: Run Tests (ut + ft)

permissions:
contents: read

on:
pull_request:
types: [opened, synchronize]
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/run_tests.yml
Comment on lines 92 to 106
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest]
python_version: ['3.10', '3.13']
name: run_ut_tests_${{ matrix.os }}
needs: get_tests_to_run
if: ${{ needs.get_tests_to_run.outputs.run_unit_tests == 'true' }}
runs-on: ${{ matrix.os }}
steps:
- name: Checkout this repository
uses: actions/checkout@v4
with:
path: current_repo
- uses: ./current_repo/.github/prepare_test_env
with:
PYTHON_VERSION: ${{ matrix.python_version }}
- name: Run Unit Tests
shell: bash
run: |
source ${{ inputs.VIRTUALENV_PATH }}/*/activate
python --version
pushd ${{ inputs.SOURCE_PATH }}
mfd-unit-tests-with-coverage --project-dir .
- name: Coveralls GitHub Action
uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b #v2.3.6

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

To resolve the CodeQL finding, the workflow file .github/workflows/run_tests.yml should explicitly declare a permissions block. The simplest way (and often recommended) is to add it at the root level, just below the workflow name, so all jobs inherit these minimal permissions unless overridden. For typical CI tasks that do not push code or change issues, contents: read is sufficient. If one or more jobs require additional permissions (for example, if the Coveralls action needs to write PR comments or status), individual job permissions can be extended accordingly, but for minimal compliance and security, a root-level block of permissions: contents: read will substantially reduce risk from possible supply chain attacks or privilege escalation. No changes to the existing functionality are needed.

What to change:

  • In .github/workflows/run_tests.yml, add a block: 
    permissions:
  contents: read
    directly below the name: line, before the on: block (after line 1).

Imports, methods, definitions:

  • No new imports, methods, or definitions are required for this change.
Suggested changeset 1
.github/workflows/run_tests.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/run_tests.yml b/.github/workflows/run_tests.yml
--- a/.github/workflows/run_tests.yml
+++ b/.github/workflows/run_tests.yml
@@ -1,4 +1,6 @@
 name: Run Tests (ut + ft)
+permissions:
+  contents: read
 
 on:
   pull_request:
EOF
@@ -1,4 +1,6 @@
name: Run Tests (ut + ft)
permissions:
contents: read

on:
pull_request:
Copilot is powered by AI and may make mistakes. Always verify output.
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 14, 2025
View reviewed changes
.github/workflows/check_code_standard.yml
Comment on lines +13 to +30
strategy:
fail-fast: false
matrix:
python_version: ['3.10', '3.13']
runs-on: ubuntu-latest
steps:
- name: Checkout this repository
uses: actions/checkout@v4
with:
path: current_repo
- uses: ./current_repo/.github/prepare_test_env
with:
PYTHON_VERSION: ${{ matrix.python_version }}
- name: Run mfd-code-standard
shell: bash
run: |
source ${{ github.workspace }}/${{ env.VIRTUALENV_PATH }}/*/activate
mfd-code-standard --project-dir ${{ github.workspace }}/${{ env.SOURCE_PATH }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

To fix this problem, explicitly add a permissions block to the workflow. The least-privilege approach is to give read-only access to repository contents (contents: read), which is sufficient for checking out code and running static analysis. The permissions block can be added at the root level (before jobs:) so all jobs inherit these permissions unless overridden. Edit the file .github/workflows/check_code_standard.yml: add the following block right after the workflow name: and before the on: trigger section. No additional imports or dependencies are required.

Suggested changeset 1
.github/workflows/check_code_standard.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/check_code_standard.yml b/.github/workflows/check_code_standard.yml
--- a/.github/workflows/check_code_standard.yml
+++ b/.github/workflows/check_code_standard.yml
@@ -1,4 +1,6 @@
 name: Check Code Standard
+permissions:
+  contents: read
 
 on:
   pull_request:
EOF
@@ -1,4 +1,6 @@
name: Check Code Standard
permissions:
contents: read

on:
pull_request:
Copilot is powered by AI and may make mistakes. Always verify output.
@pmarusz pmarusz force-pushed the update-workflow branch 2 times, most recently from 0f530c5 to f51ae6f Compare October 14, 2025 08:16
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 14, 2025
View reviewed changes
@pmarusz pmarusz force-pushed the update-workflow branch 3 times, most recently from 641ed84 to b942a02 Compare October 14, 2025 08:18
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 14, 2025
View reviewed changes
.github/workflows/pull_request.yml
Comment on lines +9 to +20
strategy:
fail-fast: false
matrix:
python_version: ['3.10', '3.13']
uses: ./.github/workflows/build_upload_whl.yml
secrets:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
with:
REPOSITORY_NAME: ${{ github.event.pull_request.head.repo.full_name }}
BRANCH_NAME: ${{ github.head_ref }}
PYTHON_VERSION: ${{ matrix.python_version }}
PROJECT_NAME: 'mfd-code-quality'

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 4 months ago

To fix the problem, we should add a permissions: key to the workflow. Since the workflow is triggered on pull_request events and calls a reusable workflow for building/uploading a wheel file, we should set the minimum permissions necessary. In almost all cases for a build triggered by a PR, contents: read is sufficient, but if actions in the called workflow require pull-requests: write (e.g., for commenting, updating status), this should be added. For the safest minimal default, set contents: read and add additional scopes as needed. Place the permissions: block at the root of the workflow (above or below on: but before jobs:), so it applies to all jobs unless they override it. No imports or additional definitions are needed.

All the required change is to insert the following at the root of the workflow:

permissions:
  contents: read

You may extend the permission set if write access is required, but with the information shown, contents: read is the minimal starting point.

Suggested changeset 1
.github/workflows/pull_request.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -4,6 +4,9 @@
   pull_request:
     types: [opened, synchronize]
 
+permissions:
+  contents: read
+
 jobs:
   build_whl:
     strategy:
EOF
@@ -4,6 +4,9 @@
pull_request:
types: [opened, synchronize]

permissions:
contents: read

jobs:
build_whl:
strategy:
Copilot is powered by AI and may make mistakes. Always verify output.
@pmarusz pmarusz force-pushed the update-workflow branch 2 times, most recently from 6760220 to e598f4e Compare October 14, 2025 08:29
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 14, 2025
View reviewed changes
.github/workflows/publish_release.yml
Comment on lines +25 to +67
runs-on: ${{ inputs.RUNS_ON }}
steps:
- uses: actions/checkout@v4
with:
fetch-tags: true
fetch-depth: 0
token: ${{ secrets.GH_TOKEN }}
ref: ${{ inputs.BRANCH_NAME }}
repository: ${{ inputs.REPOSITORY_NAME }}
- name: Run mfd-create-config-files
run: |
pip install -r requirements-dev.txt
pip install .
mfd-create-config-files --project-dir .
- name: Run python-semantic-release
id: semantic_release
uses: python-semantic-release/python-semantic-release@v10.3.1
with:
build: false
vcs_release: true
push: true
commit: false
github_token: ${{ secrets.GH_TOKEN }}
strict: true
verbosity: 2
- name: Get old/new versions from semantic-release
run: |
echo "PREV_VERSION=${{ steps.semantic_release.outputs.previous_version }}" >> $GITHUB_ENV
echo "NEW_VERSION=${{ steps.semantic_release.outputs.version }}" >> $GITHUB_ENV
- name: Run mfd-delete-config-files
run: mfd-delete-config-files --project-dir .
- name: Update version in pyproject.toml
run: |
sed "s/$PREV_VERSION/$NEW_VERSION/" -i pyproject.toml
- name: Commit and push changes
run: |
git config --local user.email "mfd_intel_bot@intel.com"
git config --local user.name "mfd-intel-bot"
git add pyproject.toml CHANGELOG.md
git commit -s -m "chore: Release v$NEW_VERSION"
git tag -f v$NEW_VERSION
git push origin ${{ inputs.BRANCH_NAME }} --force
git push origin v$NEW_VERSION --force

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

To fix the problem, you should add a permissions block to the workflow so that the permissions for the GITHUB_TOKEN are explicitly specified and limited to only those required. Since this workflow requires writing to the contents of the repository (for pushes, commits, and tags), you need contents: write rather than the least-privilege of contents: read. All other permissions can be set to none by omitting them.

This block can be placed either at the root of the YAML (to cover all jobs) or at the job level (to impact only this job). Since this workflow contains a single job, adding it at the root is best practice for clarity and future extensibility. You should insert the following immediately after the workflow name: and before on::

permissions:
  contents: write

This ensures the workflow always sets the minimal necessary permissions.

Suggested changeset 1
.github/workflows/publish_release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/publish_release.yml b/.github/workflows/publish_release.yml
--- a/.github/workflows/publish_release.yml
+++ b/.github/workflows/publish_release.yml
@@ -1,4 +1,6 @@
 name: Publish Release
+permissions:
+  contents: write
 
 on:
   workflow_call:
EOF
@@ -1,4 +1,6 @@
name: Publish Release
permissions:
contents: write

on:
workflow_call:
Copilot is powered by AI and may make mistakes. Always verify output.
@pmarusz
ci: create separate workflows for code-quality
bb45ccb 
Signed-off-by: Maruszewski, Piotr <piotr.maruszewski@intel.com>
@intel intel deleted a comment from mfd-intel-bot Oct 14, 2025
@mfd-intel-bot
Copy link
Contributor

mfd-intel-bot commented Oct 14, 2025

We don't publish DEVs .whl.
To build .whl, run 'pip install git+https://intel/mfd-code-quality@update-workflow'

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 14, 2025
View reviewed changes
.github/workflows/manual_release.yml
Comment on lines +29 to +36
publish_release:
needs: publish_pypi
if: ${{ always() }}
uses: ./.github/workflows/publish_release.yml
secrets:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
with:
REPOSITORY_NAME: ${{ github.repository }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 4 months ago

To fix the issue, you need to add an explicit permissions block to the workflow. This can be done at the root of the workflow (affecting all jobs by default) or at individual job level (overriding the root for those jobs). Since the workflow calls reusable workflows, it is best to limit permissions at the root unless specific jobs need write/update permissions. The minimal starting point for most workflows is permissions: contents: read, unless jobs need to create issues, releases, etc.

Place the following block directly below the name: field at the top for maximum coverage:

permissions:
  contents: read

If you know that your jobs need additional permission types (e.g., for releases), add them as pull-requests: write, etc. Otherwise, start with the minimal read-level access.

Suggested changeset 1
.github/workflows/manual_release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/manual_release.yml b/.github/workflows/manual_release.yml
--- a/.github/workflows/manual_release.yml
+++ b/.github/workflows/manual_release.yml
@@ -1,4 +1,6 @@
 name: CI Build - Release Mode
+permissions:
+  contents: read
 
 on:
   workflow_dispatch:
EOF
@@ -1,4 +1,6 @@
name: CI Build - Release Mode
permissions:
contents: read

on:
workflow_dispatch:
Copilot is powered by AI and may make mistakes. Always verify output.
@pmarusz pmarusz closed this Oct 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@adrianlasota adrianlasota adrianlasota requested changes

@mchromin mchromin mchromin left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@pmarusz @mfd-intel-bot @adrianlasota @mchromin