Develop->Master #360
Develop->Master #360
Conversation
changes to templates, code parser, and test data
Also, there are a few other test files that should all be changed and tested together...
…est token in the test_local folder
Check KBASE_TEST_TOKEN env var if no dev token is found
…trieval of information from git.properties file.
…tarting kb-sdk. Add release notes. Fix KBase report class name error in Java version.
Let's skip ci this time.
Java edits for kb-sdk 1.3
Update Dockerfile
Makefile template change for develop branch.
Adding kb-sdk image build and upload to Dockerhub to GitHub actions
Remove outdated sdkbase directory and docs
…cfg file Remove extra step of adding in the test token to the test.cfg file in the github actions Improve error message text with information about where the kbase test token may be found Update release notes; bump version number.
Update entrypoint script to force root user
Removing "-t" flag to allow github actions to run kb-sdk
DEVOPS-1197: Add GHA actions
Update module_test_python_client.vm.properties
…at no longer exists
Fixing kb_sdk tests, slimming down dockerfile
Updating Dockerfile to enable `docker buildx`
363 python Server.py file adds extraneous quotes to error messages
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if: "!contains(github.event.head_commit.message, 'skip ci')" | ||
| runs-on: ${{ matrix.os }} | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| os: [ubuntu-20.04, ubuntu-latest] | ||
| language: [perl, python, java] | ||
| test_type: [base] #, example] | ||
| auth: [token, env_var] | ||
|
|
||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v3 | ||
|
|
||
| # build kb-sdk from source and test basic functions | ||
| - name: Set up JDK 1.8 | ||
| uses: actions/setup-java@v3 | ||
| with: | ||
| distribution: temurin | ||
| java-version: 8.0.362+9 | ||
|
|
||
| - name: Build with Ant | ||
| run: | | ||
| make | ||
|
|
||
| - name: Add bin to $PATH | ||
| run: | | ||
| echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH | ||
|
|
||
| - name: checking kb-sdk functions | ||
| env: | ||
| KBASE_TEST_TOKEN: ${{ secrets.KBASE_TEST_TOKEN }} | ||
| LANGUAGE_TOKEN: ${{ matrix.language }} | ||
| run: | | ||
| env | ||
| kb-sdk help | ||
| kb-sdk version | ||
|
|
||
| # the following steps create a KBase app using the SDK | ||
| # and runs some checks to ensure the app generated | ||
| # is functional and that the SDK can test it. | ||
| - name: init base repo | ||
| if: matrix.test_type == 'base' | ||
| env: | ||
| LANGUAGE_TOKEN: ${{ matrix.language }} | ||
| run: | | ||
| kb-sdk init -l $LANGUAGE_TOKEN -u user SampleApp | ||
|
|
||
| - name: init example repo | ||
| if: matrix.test_type == 'example' | ||
| env: | ||
| LANGUAGE_TOKEN: ${{ matrix.language }} | ||
| run: | | ||
| kb-sdk init -l $LANGUAGE_TOKEN -u user --example SampleApp | ||
|
|
||
| - name: test ${{ matrix.test_type }} repo, using test.cfg for auth | ||
| if: matrix.auth == 'token' | ||
| run: | | ||
| cd SampleApp | ||
| kb-sdk test || true | ||
|
|
||
| - name: test ${{ matrix.test_type }} repo, using test.cfg for auth, add env var to test.cfg | ||
| if: matrix.auth == 'token' | ||
| env: | ||
| KBASE_TEST_TOKEN: ${{ secrets.KBASE_TEST_TOKEN }} | ||
| run: | | ||
| cd SampleApp | ||
| sed -i "s/test_token=/test_token=$KBASE_TEST_TOKEN/" test_local/test.cfg | ||
| kb-sdk test | ||
|
|
||
| - name: test ${{ matrix.test_type }} repo, using env var for auth | ||
| if: matrix.auth == 'env_var' | ||
| env: | ||
| KBASE_TEST_TOKEN: ${{ secrets.KBASE_TEST_TOKEN }} | ||
| run: | | ||
| cd SampleApp | ||
| kb-sdk test | ||
|
|
||
| - name: make resulting app available as artefact in case of failure | ||
| if: ${{ failure() }} | ||
| uses: actions/upload-artifact@v3 | ||
| with: | ||
| name: kbaseapp-${{ matrix.language }}-${{ matrix.test_type }}-${{ matrix.os }} | ||
| path: SampleApp | ||
|
|
||
|
|
||
| test_existing_repos: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, add a permissions block to the workflow file to explicitly set the minimum required permissions for the GITHUB_TOKEN. Since the workflow does not appear to require any write access to repository contents or other resources (it only checks out code, runs tests, and uploads artifacts), the minimal required permission is likely contents: read. This block should be added at the top level of the workflow (just after the name: and before on:), so it applies to all jobs unless overridden. No changes to the jobs or steps are required.
Steps:
- Edit
.github/workflows/basic_sdk_functionality_tests.yml. - Insert the following block after the
name:line and before theon:block:permissions: contents: read
- No additional imports, methods, or definitions are needed.
| @@ -1,2 +1,4 @@ | ||
| name: Basic kb-sdk functionality tests | ||
| permissions: | ||
| contents: read | ||
|
|
| if: "!contains(github.event.head_commit.message, 'skip ci')" | ||
| runs-on: ${{ matrix.os }} | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| os: [ubuntu-20.04, ubuntu-latest] | ||
| # TODO: add a Java app. WsLargeDataIO does not currently build as it relies on a Java | ||
| # repo that no longer exists. | ||
| app: [KBaseReport] # , WsLargeDataIO] | ||
| auth: [token, env_var] | ||
|
|
||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Set up JDK 1.8 | ||
| uses: actions/setup-java@v3 | ||
| with: | ||
| distribution: temurin | ||
| java-version: 8.0.362+9 | ||
|
|
||
| - name: Build with Ant | ||
| run: | | ||
| make | ||
|
|
||
| - name: Add bin to $PATH | ||
| run: | | ||
| echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH | ||
|
|
||
| - name: checking basic kb-sdk functions | ||
| run: | | ||
| env | ||
| kb-sdk help | ||
| kb-sdk version | ||
|
|
||
| # the following steps check out and run the tests of an existing KBase app | ||
| - name: Checkout existing kbase module ${{ matrix.app }} | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| repository: kbaseapps/${{ matrix.app }} | ||
| path: kbase_app | ||
|
|
||
| - name: run repo tests, using test.cfg for auth | ||
| if: matrix.auth == 'token' | ||
| run: | | ||
| cd kbase_app | ||
| kb-sdk test || true | ||
|
|
||
| - name: run repo tests, using test.cfg for auth | ||
| if: matrix.auth == 'token' | ||
| env: | ||
| KBASE_TEST_TOKEN: ${{ secrets.KBASE_TEST_TOKEN }} | ||
| run: | | ||
| cd kbase_app | ||
| sed -i "s/test_token=/test_token=$KBASE_TEST_TOKEN/" test_local/test.cfg | ||
| kb-sdk test | ||
|
|
||
| - name: run repo tests, using env var for auth | ||
| if: matrix.auth == 'env_var' | ||
| env: | ||
| KBASE_TEST_TOKEN: ${{ secrets.KBASE_TEST_TOKEN }} | ||
| run: | | ||
| cd kbase_app | ||
| kb-sdk test | ||
|
|
||
| - name: make resulting app available as artefact in case of failure | ||
| if: ${{ failure() }} | ||
| uses: actions/upload-artifact@v3 | ||
| with: | ||
| name: kbaseapp-${{ matrix.app }}-${{ matrix.os }} | ||
| path: kbase_app |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, add a permissions block to the workflow file. The best way is to add it at the root level (just below the name: and before on:), so it applies to all jobs unless overridden. For this workflow, the jobs only need to read repository contents and upload artifacts, so the minimal permissions should be contents: read. If any job requires additional permissions (e.g., to write to issues or pull requests), those can be added at the job level, but in this case, none of the jobs appear to require such permissions. The change should be made at the top of .github/workflows/basic_sdk_functionality_tests.yml, adding the following block:
permissions:
contents: readNo additional imports, methods, or definitions are required.
| @@ -1,2 +1,4 @@ | ||
| name: Basic kb-sdk functionality tests | ||
| permissions: | ||
| contents: read | ||
|
|
| uses: kbase/.github/.github/workflows/reusable_build-push.yml@main | ||
| with: | ||
| name: '${{ github.event.repository.name }}-develop' | ||
| tags: br-${{ github.ref_name }} | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, explicitly set the permissions block in the workflow file. The best practice is to set it at the top level of the workflow, so it applies to all jobs unless overridden. Since the workflow appears to only build and push (likely to a container registry or similar), the minimal required permissions are probably contents: read (to read the repository contents). If the workflow or the reusable workflow needs to push to a registry or create releases, additional permissions may be needed, but as a safe default, contents: read is recommended. The change should be made by adding a permissions: block after the name: field and before the on: field in .github/workflows/manual-build.yml.
| @@ -2,2 +2,4 @@ | ||
| name: Manual Build & Push | ||
| permissions: | ||
| contents: read | ||
| on: |
| if: github.base_ref == 'develop' && github.event.pull_request.merged == false | ||
| uses: kbase/.github/.github/workflows/reusable_build.yml@main | ||
| secrets: inherit | ||
| build-develop-merge: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, add a permissions block at the top level of the workflow file, immediately after the name key and before the on key. This block should specify the minimal permissions required for the workflow to function. As a starting point, set contents: read, which is the most restrictive and safest default. If any jobs or reusable workflows require additional permissions (such as pull-requests: write), those can be added as needed, but in the absence of such requirements in the provided snippet, contents: read is appropriate. No changes to the jobs themselves are necessary unless more granular permissions are required for specific jobs.
| @@ -2,2 +2,4 @@ | ||
| name: Pull Request Build, Tag, & Push | ||
| permissions: | ||
| contents: read | ||
| on: |
| if: github.base_ref == 'develop' && github.event.pull_request.merged == true | ||
| uses: kbase/.github/.github/workflows/reusable_build-push.yml@main | ||
| with: | ||
| name: '${{ github.event.repository.name }}-develop' | ||
| tags: pr-${{ github.event.number }},latest | ||
| secrets: inherit | ||
| build-main-open: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, add a permissions block at the top level of the workflow file, just below the name field and before the on field. This block should specify the minimum permissions required for the workflow to function. Since the jobs in this workflow only invoke reusable workflows and do not appear to require write access, the safest minimal starting point is contents: read. If any job or reusable workflow requires additional permissions, those can be added as needed. The change should be made at the top of .github/workflows/pr_build.yml, and no additional imports or definitions are required.
| @@ -2,2 +2,4 @@ | ||
| name: Pull Request Build, Tag, & Push | ||
| permissions: | ||
| contents: read | ||
| on: |
| if: (github.base_ref == 'main' || github.base_ref == 'master') && github.event.pull_request.merged == true | ||
| uses: kbase/.github/.github/workflows/reusable_build-push.yml@main | ||
| with: | ||
| name: '${{ github.event.repository.name }}' | ||
| tags: pr-${{ github.event.number }},latest-rc | ||
| secrets: inherit | ||
| trivy-scans: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, add a permissions block to the workflow file .github/workflows/pr_build.yml. The best practice is to set this at the top level, so all jobs inherit the least privilege by default. If any job requires additional permissions, you can override the block at the job level. As a minimal starting point, set contents: read, which is sufficient for most workflows that only need to check out code or read repository contents. If any job needs to write to pull requests or other resources, you can add those permissions as needed.
Steps:
- Add a
permissions:block after thename:key and before theon:key (i.e., after line 2). - Set
contents: readas the minimal permission. - If you know that some jobs require more (e.g.,
pull-requests: write), you can add those, but the minimal fix is to setcontents: read.
| @@ -2,2 +2,4 @@ | ||
| name: Pull Request Build, Tag, & Push | ||
| permissions: | ||
| contents: read | ||
| on: |
| if: (github.base_ref == 'develop' || github.base_ref == 'main' || github.base_ref == 'master' ) && github.event.pull_request.merged == false | ||
| uses: kbase/.github/.github/workflows/reusable_trivy-scans.yml@main | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, add a permissions block at the top level of the workflow (just after the name: key and before on:). This block should specify the minimal permissions required for the workflow to function. As a starting point, set contents: read, which is the most restrictive and safest default. If any jobs require additional permissions (e.g., to write to pull requests), those can be added as needed. Since the jobs here only call reusable workflows, and without further information, the safest fix is to set contents: read at the workflow level. This will apply to all jobs unless overridden.
| @@ -2,2 +2,4 @@ | ||
| name: Pull Request Build, Tag, & Push | ||
| permissions: | ||
| contents: read | ||
| on: |
| uses: kbase/.github/.github/workflows/reusable_validate-branch.yml@main | ||
| with: | ||
| build_branch: '${{ github.event.release.target_commitish }}' | ||
| validate-release-tag: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, add a permissions block to the root of the workflow file .github/workflows/release-main.yml. This block should specify the minimal set of permissions required for the workflow to function. Since the workflow is triggered by a release and appears to build and push images, it likely needs at least contents: read to access repository contents, and possibly packages: write or similar if it pushes to a package registry. As a minimal starting point, set contents: read. If further permissions are required (e.g., for pushing to packages or updating pull requests), they can be added as needed. The change should be made at the top level of the YAML file, immediately after the name: field and before the on: field.
| @@ -2,2 +2,4 @@ | ||
| name: Release - Build & Push Image | ||
| permissions: | ||
| contents: read | ||
| on: |
| needs: check-source-branch | ||
| uses: kbase/.github/.github/workflows/reusable_validate-release-tag.yml@main | ||
| with: | ||
| release_tag: '${{ github.event.release.tag_name }}' | ||
| build-push: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, add a permissions block at the top level of the workflow file, immediately after the name: field and before the on: field. This block should specify the minimal permissions required for the workflow to function. Since the jobs in this workflow only call reusable workflows and do not appear to require write access themselves, the safest minimal starting point is contents: read. If any of the called reusable workflows require additional permissions, those can be added as needed, but starting with contents: read is the recommended baseline.
Steps:
- Edit
.github/workflows/release-main.yml. - Insert a
permissions:block after thename:field (line 2), before theon:field (line 3). - Set
contents: readas the minimal permission.
| @@ -2,2 +2,4 @@ | ||
| name: Release - Build & Push Image | ||
| permissions: | ||
| contents: read | ||
| on: |
| needs: validate-release-tag | ||
| uses: kbase/.github/.github/workflows/reusable_build-push.yml@main | ||
| with: | ||
| name: '${{ github.event.repository.name }}' | ||
| tags: '${{ github.event.release.tag_name }},latest' | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, you should add a permissions block to the workflow, either at the root level (to apply to all jobs) or to individual jobs as needed. The block should specify the minimal set of permissions required for the workflow to function. Since this workflow is triggered by a release event and appears to build and push images, it likely needs at least contents: read (to read repository contents) and possibly packages: write or actions: write if it interacts with packages or actions. As a minimal starting point, you should add permissions: contents: read at the root level, and then adjust as needed if you know the workflow requires more. The change should be made at the top of the file, after the name: block and before on:.
| @@ -2,2 +2,4 @@ | ||
| name: Release - Build & Push Image | ||
| permissions: | ||
| contents: read | ||
| on: |
No description provided.