Ci tests #99
Ci tests #99
Conversation
pappz
changed the base branch from
main
to
feature/restart-engine-on-network-change
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| submodules: recursive | ||
|
|
||
| - name: Run unit tests | ||
| run: ./gradlew test --no-daemon | ||
|
|
||
| - name: Upload test results | ||
| if: always() | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: unit-test-results | ||
| path: | | ||
| app/build/reports/tests/ | ||
| tool/build/reports/tests/ | ||
| retention-days: 3 | ||
|
|
||
| instrumented-tests: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
The best way to fix this problem is to add a permissions key to the workflow, either at the root or at the job level, specifying the minimal required permissions for the workflow's jobs. In this workflow, none of the jobs perform any action needing write-level permissions on repository contents, issues, or pull requests. Therefore, setting permissions: contents: read at the workflow root will limit the token to read-only repository contents, addressing the security concern in line with GitHub recommendations. This change should be made near the top of .github/workflows/build-debug.yml, right after the name and before the on key for clarity and convention.
| @@ -1,4 +1,6 @@ | ||
| name: build debug | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| submodules: recursive | ||
|
|
||
| - name: Enable KVM group perms | ||
| run: | | ||
| echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules | ||
| sudo udevadm control --reload-rules | ||
| sudo udevadm trigger --name-match=kvm | ||
| - name: Run instrumented tests | ||
| uses: reactivecircus/android-emulator-runner@v2 | ||
| with: | ||
| api-level: 30 | ||
| target: google_apis | ||
| arch: x86_64 | ||
| profile: pixel_3a | ||
| disable-animations: true | ||
| script: ./gradlew connectedDebugAndroidTest --no-daemon | ||
|
|
||
| - name: Upload test results | ||
| if: always() | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: instrumented-test-results | ||
| path: | | ||
| app/build/reports/androidTests/ | ||
| tool/build/reports/androidTests/ | ||
| retention-days: 3 |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
To fix this issue, you should add a permissions: block at either the workflow root or in each job entry. The recommended fix is to add it at the root of the workflow, which will apply to all jobs unless a more specific permissions: block is set inside a job. Since none of the jobs in the workflow require write access (they only check out code, run builds/tests, and upload artifacts), the minimal required permission is contents: read. This is standard and will adhere to the principle of least privilege. There is no need to change or add any other functionality; the fix is a single line addition near the top, after the name: and before on:.
| @@ -1,4 +1,6 @@ | ||
| name: build debug | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: |
No description provided.