Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(ci): address codeql issues in gha workflows #128

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(ci): address codeql issues in gha workflows #128

wants to merge 1 commit into from
+33 −15

Conversation

nirinchev
Copy link
Contributor

Description

This addresses most issues reported by codeql. The remaining ones are related to using mongodb-js/devtools-shared/actions/setup-bot-token@main instead of pinning to a commit. I feel that this should be treated as a first-party action and be exempt from requiring commit pinning, but am open to be convinced otherwise

@nirinchev nirinchev requested a review from kmruiz January 23, 2025 00:38
@github-actions github-actions bot added the no release notes It's a chore and doesn't require release notes. label Jan 23, 2025
@nirinchev nirinchev added the no-title-validation Skips validation of PR titles (conventional commit adherence + JIRA ticket inclusion) label Jan 23, 2025
@github-actions github-actions bot added no release notes It's a chore and doesn't require release notes. and removed no release notes It's a chore and doesn't require release notes. labels Jan 23, 2025
@github-actions GitHub Actions
Copy link

Coverage Report

Overall Project 80.02%

There is no coverage information present for the Files changed

@github-actions GitHub Actions
Copy link

🤖 Benchmark Comparison for chore(ci): address codeql issues in gha workflows

Benchmark Previous Current Change
com.mongodb.jbplugin.jmh.SampleBenchmark.init 2,612,155,888.52 ops/s 2,609,720,903.13 ops/s -0.09%

kmruiz
kmruiz requested changes Jan 23, 2025
View reviewed changes
.github/workflows/check-changelog.yml
@@ -3,6 +3,10 @@ on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled]

permissions:
contents: read
pull-requests: write
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we adding additional permissions to this workflow? We don't need them for checking the changelog and blocking a PR right?

.github/workflows/check-pr-title.yml

permissions:
contents: read
pull-requests: read
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same thing here, we don't want workflows to have additional permissions unless they are needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kmruiz kmruiz kmruiz requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
no release notes It's a chore and doesn't require release notes. no-title-validation Skips validation of PR titles (conventional commit adherence + JIRA ticket inclusion)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nirinchev @kmruiz