sync#701
Conversation
Update CSharpBible.yml
C sharp bible
Removed a project reference and a check for missing projects from the CSharpBible workflow.
C sharp bible
Added EnableWindowsTargeting property to build and test commands.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: windows-latest | ||
| defaults: | ||
| run: | ||
| working-directory: CSharpBible | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| # Install the .NET Core workload | ||
| - name: Install .NET Core | ||
| uses: actions/setup-dotnet@v3 | ||
| with: | ||
| dotnet-version: 6.0.x | ||
|
|
||
| # Add MSBuild to the PATH: https://github.com/microsoft/setup-msbuild | ||
| - name: Setup MSBuild.exe | ||
| uses: microsoft/setup-msbuild@v1.0.2 | ||
|
|
||
| # Execute all unit tests in the solution | ||
| - name: Execute unit tests | ||
| run: dotnet test | ||
|
|
||
| # Restore the application to populate the obj folder with RuntimeIdentifiers | ||
| - name: Restore the application | ||
| run: msbuild $env:Solution_Name /t:Restore /p:Configuration=$env:Configuration | ||
| env: | ||
| Configuration: ${{ matrix.configuration }} | ||
|
|
||
| # Decode the base 64 encoded pfx and save the Signing_Certificate | ||
| - name: Decode the pfx | ||
| run: | | ||
| $pfx_cert_byte = [System.Convert]::FromBase64String("${{ secrets.Base64_Encoded_Pfx }}") | ||
| $certificatePath = Join-Path -Path $env:Wap_Project_Directory -ChildPath GitHubActionsWorkflow.pfx | ||
| [IO.File]::WriteAllBytes("$certificatePath", $pfx_cert_byte) | ||
|
|
||
| # Create the app package by building and packaging the Windows Application Packaging project | ||
| - name: Create the app package | ||
| run: msbuild $env:Wap_Project_Path /p:Configuration=$env:Configuration /p:UapAppxPackageBuildMode=$env:Appx_Package_Build_Mode /p:AppxBundle=$env:Appx_Bundle /p:PackageCertificateKeyFile=GitHubActionsWorkflow.pfx /p:PackageCertificatePassword=${{ secrets.Pfx_Key }} | ||
| env: | ||
| Appx_Bundle: Always | ||
| Appx_Bundle_Platforms: x86|x64 | ||
| Appx_Package_Build_Mode: StoreUpload | ||
| Configuration: ${{ matrix.configuration }} | ||
|
|
||
| # Remove the pfx | ||
| - name: Remove the pfx | ||
| run: Remove-Item -path $env:Wap_Project_Directory\GitHubActionsWorkflow.pfx | ||
|
|
||
| # Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact | ||
| - name: Upload build artifacts | ||
| uses: actions/upload-artifact@v3 | ||
| with: | ||
| name: MSIX Package | ||
| path: ${{ env.Wap_Project_Directory }}\AppPackages | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup .NET 8.0 | ||
| uses: actions/setup-dotnet@v4 | ||
| with: | ||
| dotnet-version: "8.0.x" | ||
|
|
||
| - name: Remove private projects | ||
| run: | | ||
| dotnet sln CSharpBible.sln remove "Mobile/MauiApp1/MauiApp1.csproj" | ||
| dotnet sln CSharpBible.sln remove "Simulation/AGVFktTests/AGVFktTests.csproj" | ||
| dotnet sln CSharpBible.sln remove "Simulation/AGVFkt/AGVFkt.csproj" | ||
| dotnet sln CSharpBible.sln remove "DB/ADO_Test/ADO_Test.csproj" | ||
| dotnet sln CSharpBible.sln remove "Libraries/CSFreeVision_/CSFreeVision.csproj" | ||
| dotnet sln CSharpBible.sln remove "Mobile/DXMauiApp1/DXMauiApp1.csproj" | ||
| dotnet sln CSharpBible.sln remove "Web/MyComponent/Client/MyComponent.Client.csproj" | ||
| dotnet sln CSharpBible.sln remove "Web/MyComponent/Server/MyComponent.Server.csproj" | ||
| dotnet sln CSharpBible.sln remove "Web/MyComponent/Shared/MyComponent.csproj" | ||
| dotnet sln CSharpBible.sln remove "WinUI/App1/App1/App1.csproj" | ||
| dotnet sln CSharpBible.sln remove "App2/App2.csproj" | ||
| dotnet sln CSharpBible.sln remove "../PackageDwnLd.csproj" | ||
| dotnet sln CSharpBible.sln remove "Web/BlazorApp1/BlazorApp1.csproj" | ||
| dotnet sln CSharpBible.sln remove "Web/WebApp1/BlazorApp2/BlazorApp2.csproj" | ||
| dotnet sln CSharpBible.sln remove "Web/WebApp1/WebApplication1/WebApplication1/WebApplication1.csproj" | ||
|
|
||
| - name: Restore | ||
| run: dotnet restore CSharpBible.sln -p:TargetFramework=net8.0-windows | ||
|
|
||
| - name: Build | ||
| run: dotnet build CSharpBible.sln --configuration Release --no-restore -p:TargetFramework=net8.0-windows | ||
|
|
||
| - name: Test | ||
| run: dotnet test CSharpBible.sln --configuration Release --no-build --verbosity normal -p:TargetFramework=net8.0-windows |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
In general, the fix is to define an explicit permissions block for the workflow or individual jobs, granting only the minimal scopes required. For this workflow, the job only needs to read repository contents to allow actions/checkout to fetch the code; it does not appear to need any write permissions or additional scopes.
The single best fix with no functional change is to add a root-level permissions section that applies to all jobs, immediately below the name (or on) block. Set contents: read as recommended by CodeQL. No imports or additional methods are needed; this is purely a YAML configuration change within .github/workflows/CSharpBible.yml.
Concretely: in .github/workflows/CSharpBible.yml, after line 1 (name: CSharpBible CI3) insert a permissions: block specifying contents: read. This will constrain the GITHUB_TOKEN for the build-test job (and any future jobs without their own permissions block) to read-only access to repository contents.
| @@ -1,5 +1,8 @@ | ||
| name: CSharpBible CI3 | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| paths: |
| runs-on: windows-latest | ||
| defaults: | ||
| run: | ||
| working-directory: TestStatements | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup .NET 8.0 | ||
| uses: actions/setup-dotnet@v4 | ||
| with: | ||
| dotnet-version: "8.0.x" | ||
|
|
||
| - name: Remove private projects | ||
| run: | | ||
|
|
||
| - name: Restore | ||
| run: dotnet restore TestStatements.sln -p:TargetFramework=net8.0-windows | ||
|
|
||
| - name: Build | ||
| run: dotnet build TestStatements.sln --configuration Release --no-restore -p:TargetFramework=net8.0-windows | ||
| - name: Test | ||
| run: dotnet test TestStatements.sln --configuration Release --no-build --verbosity normal -p:TargetFramework=net8.0-windows |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
In general, the fix is to add an explicit permissions block that grants only the minimal required access to the GITHUB_TOKEN. For a CI workflow that only needs to check out the repository and build/test, contents: read is typically sufficient. This can be added at the root of the workflow (applies to all jobs) or under a specific job. Here, adding it at the root keeps the change simple and does not alter functionality.
Concretely, in .github/workflows/Teststatements.yml, add a permissions: section after the name: (before on:) with contents: read. No extra scopes are needed because there are no steps that write to the repo, issues, or pull requests. This change does not affect the existing build/test behavior but ensures that GITHUB_TOKEN is restricted to read‑only repository contents for this workflow.
| @@ -1,5 +1,8 @@ | ||
| name: TestStatemens CI0 | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| paths: |
2 participants
No description provided.