Update dev #122
Update dev #122
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if: github.event_name == 'pull_request' && github.event.action == 'closed' | ||
| runs-on: ubuntu-latest | ||
| name: Close Pull Request Job | ||
| steps: | ||
| - name: Close Pull Request | ||
| id: closepullrequest | ||
| uses: Azure/static-web-apps-deploy@v1 | ||
| with: | ||
| action: "close" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix the detected issue, explicitly set a permissions: block on the close_pull_request_job to restrict the GITHUB_TOKEN permissions. Since this job appears to only call Azure/static-web-apps-deploy@v1 with the action close and does not interact with repository contents or pull requests, you can set permissions: {} (none), or permissions: contents: read if the action requires reading repository code. As a minimal starting point and following least privilege, set permissions: {} at the job level for close_pull_request_job in .github/workflows/publish-asset-store.yml immediately before or after the runs-on: attribute.
| @@ -55,6 +55,7 @@ | ||
| close_pull_request_job: | ||
| if: github.event_name == 'pull_request' && github.event.action == 'closed' | ||
| runs-on: ubuntu-latest | ||
| permissions: {} | ||
| name: Close Pull Request Job | ||
| steps: | ||
| - name: Close Pull Request |
| if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed') | ||
| runs-on: ubuntu-latest | ||
| name: Build and Deploy Job | ||
| steps: | ||
| - name: Echo message | ||
| run: echo "Hello from the test branch 👋" | ||
| - uses: actions/checkout@v3 | ||
| with: | ||
| submodules: true | ||
| lfs: false | ||
| - name: Build And Deploy | ||
| id: builddeploy | ||
| uses: Azure/static-web-apps-deploy@v1 | ||
| with: | ||
| azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_KIND_MEADOW_06167BF03 }} | ||
| repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments) | ||
| action: "upload" | ||
| ###### Repository/Build Configurations - These values can be configured to match your app requirements. ###### | ||
| # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig | ||
| app_location: "./Portal/sharpengine-web-ui" # App source code path | ||
| # api_location: "" # Api source code path - optional | ||
| output_location: "build" # Built app content directory - optional | ||
| app_build_command: "CI=false npm run build" | ||
| ###### End of Repository/Build Configurations ###### | ||
|
|
||
| close_pull_request_job: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix this issue, explicitly set the required permissions in the workflow. The minimal least-privilege block is permissions: contents: read at the top level. However, since the workflow uses the repo_token for Github integrations such as PR comments (as noted on line 29), we need at least contents: read and, if the integration posts comments to pull requests, also pull-requests: write. We should add the permissions block at the workflow root immediately after the name: field to apply to all jobs by default. This fix does not impact existing functionality but tightens security as recommended. No changes outside the YAML are required.
| @@ -1,4 +1,7 @@ | ||
| name: Publish SharpEngine Web Portal | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
|
|
||
| on: | ||
| push: |
| if: github.event_name == 'pull_request' && github.event.action == 'closed' | ||
| runs-on: ubuntu-latest | ||
| name: Close Pull Request Job | ||
| steps: | ||
| - name: Close Pull Request | ||
| id: closepullrequest | ||
| uses: Azure/static-web-apps-deploy@v1 | ||
| with: | ||
| azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_KIND_MEADOW_06167BF03 }} | ||
| action: "close" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
The best way to fix this issue is to add an explicit permissions key setting the minimum privileges necessary for the workflow/jobs. The least-privilege starting point for most workflows is:
permissions:
contents: readHowever, because this workflow uses third-party actions (including Azure/static-web-apps-deploy which uses the repo_token for PR status/comments), it may require additional permissions such as pull-requests: write. The most appropriate and future-safe initial fix is to add, at the root of the workflow (top-level), a permissions section with the minimal rights required:
permissions:
contents: read
pull-requests: writeThis block should be inserted after name: and before on: (i.e., as one of the very top-level keys in the workflow file, so it applies to all jobs). No other files or changes are necessary for a correct and standards-compliant fix.
| @@ -1,4 +1,7 @@ | ||
| name: Publish SharpEngine Web Portal | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
|
|
||
| on: | ||
| push: |
There was a problem hiding this comment.
Pull request overview
This PR updates the development environment by modifying deployment workflows and temporarily disabling login functionality in the web portal. The changes appear to be part of work related to feature/52-av-web branch, configuring Azure Static Web Apps deployments for both the SharpEngine Web Portal and Asset Store applications.
Key changes:
- Commented out HeaderLogin component usage in the web portal header
- Configured Azure Static Web Apps deployment workflows with build and close pull request jobs
- Added feature branch triggers to multiple deployment workflows
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 9 comments.
| File | Description |
|---|---|
| Portal/sharpengine-web-ui/src/components/Header.tsx | Temporarily disabled HeaderLogin component by commenting out import and usage |
| .github/workflows/publish-web.yml | Configured Azure Static Web Apps deployment for SharpEngine Web Portal with build and close PR jobs |
| .github/workflows/publish-asset-store.yml | Configured Azure Static Web Apps deployment for Asset Store with OIDC authentication and build/close PR jobs |
| .github/workflows/azure-static-web-apps-victorious-moss-06d128203.yml | Updated workflow to deploy Portal instead of Asset Store and corrected Azure secret reference |
Comments suppressed due to low confidence (1)
.github/workflows/azure-static-web-apps-victorious-moss-06d128203.yml:59
- The close_pull_request_job is missing the required azure_static_web_apps_api_token parameter. The action will fail without this token. Add the azure_static_web_apps_api_token secret reference similar to the build_and_deploy_job.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| action: "close" | ||
|
|
There was a problem hiding this comment.
The close_pull_request_job is missing the required azure_static_web_apps_api_token parameter. The action will fail without this token. Add the azure_static_web_apps_api_token secret reference similar to the build_and_deploy_job.
| action: "close" | |
| azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_WHITE_SKY_0ACD4AD03 }} | |
| action: "close" |
| //import { HeaderLogin } from 'sharpengine-ui-shared/src/components/HeaderLogin' | ||
|
|
||
| export function Header() { | ||
| const navigate = useNavigate(); |
There was a problem hiding this comment.
The navigate variable is declared but never used since the HeaderLogin component that uses it has been commented out. Either remove the unused useNavigate import and variable declaration, or if this is temporary, consider using a feature flag approach instead of commenting out code.
| @@ -1,8 +1,8 @@ | |||
| import { useState } from 'react'; | |||
| import { useNavigate } from 'react-router-dom'; | |||
| import { ChevronDown, User } from 'lucide-react'; | |||
There was a problem hiding this comment.
The User import from lucide-react is unused. Consider removing it to keep the imports clean and avoid bundle bloat.
| import { ChevronDown, User } from 'lucide-react'; | |
| import { ChevronDown } from 'lucide-react'; |
| # - main | ||
| - feature/52-av-web |
There was a problem hiding this comment.
This workflow is configured to trigger on pushes to a feature branch (feature/52-av-web) rather than the main branch. Feature branches should typically not trigger deployment workflows directly. Consider removing this branch trigger before merging to ensure the workflow only deploys from stable branches.
| # - main | |
| - feature/52-av-web | |
| - main |
| id: closepullrequest | ||
| uses: Azure/static-web-apps-deploy@v1 | ||
| with: | ||
| azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_KIND_MEADOW_06167BF03 }} |
There was a problem hiding this comment.
The close_pull_request_job is missing the required azure_static_web_apps_api_token parameter. The action will fail without this token. Add the azure_static_web_apps_api_token secret reference similar to the build_and_deploy_job.
| azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_KIND_MEADOW_06167BF03 }} | |
| azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_KIND_MEADOW_06167BF03 }} | |
| azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_KIND_MEADOW_06167BF03 }} |
| - main | ||
| - feature/52-av-web |
There was a problem hiding this comment.
This workflow is configured to trigger on pushes to a feature branch (feature/52-av-web). Feature branches should typically not trigger deployment workflows directly. Consider removing this branch trigger before merging to ensure the workflow only deploys from stable branches like main.
| branches: | ||
| - test | ||
| - main | ||
| - feature/52-av-web |
There was a problem hiding this comment.
This workflow includes a feature branch (feature/52-av-web) in the pull request trigger configuration. Pull request workflows should typically only be configured for stable target branches. Consider removing this feature branch from the configuration.
| - feature/52-av-web |
| import { ChevronDown, User } from 'lucide-react'; | ||
|
|
||
| import { HeaderLogin } from 'sharpengine-ui-shared/src/components/HeaderLogin' | ||
| //import { HeaderLogin } from 'sharpengine-ui-shared/src/components/HeaderLogin' |
There was a problem hiding this comment.
The import statement and component usage for HeaderLogin have been commented out but not removed. If this is a temporary change for testing, consider using a feature flag instead. If this is a permanent removal, the commented code should be deleted to improve code maintainability.
| </nav> | ||
|
|
||
| <HeaderLogin onProfileClicked={() => navigate('/profile')} /> | ||
| {/* <HeaderLogin onProfileClicked={() => navigate('/profile')} /> */} |
There was a problem hiding this comment.
The HeaderLogin component usage has been commented out but not removed. If this is a temporary change for testing, consider using a feature flag instead. If this is a permanent removal, the commented code should be deleted to improve code maintainability.
|
<Issue number> <Change title>
Contents
This PR is trying to resolve:
TBD
We resolve it by:
TBD
Checklist
mainto my branch.