Revert repository to commit 244d656 #107
Conversation
This reverts all changes made after commit 244d656
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: iOS | ||
| runs-on: macos-14 | ||
| env: | ||
| APP_ARCHIVE_PATH: sentry_react_native.app.zip | ||
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | ||
| SENTRY_ALLOW_FAILURE: false | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ inputs.ref }} | ||
|
|
||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 18 | ||
| cache: 'npm' | ||
| cache-dependency-path: package-lock.json | ||
|
|
||
| - run: npm ci | ||
|
|
||
| - uses: ruby/setup-ruby@v1 | ||
| with: | ||
| ruby-version: '3.3.0' | ||
| bundler-cache: true # runs 'bundle install' and caches installed gems automatically | ||
|
|
||
| - working-directory: ios | ||
| run: bundle exec pod install | ||
|
|
||
| - name: Run xcodebuild | ||
| working-directory: ios | ||
| run: | | ||
| mkdir -p "DerivedData" | ||
| derivedData="$(cd "DerivedData" ; pwd -P)" | ||
| set -o pipefail && xcodebuild \ | ||
| -workspace sentry_react_native.xcworkspace \ | ||
| -configuration "Release" \ | ||
| -scheme sentry_react_native \ | ||
| -destination 'generic/platform=iOS Simulator' \ | ||
| -derivedDataPath "$derivedData" \ | ||
| build \ | ||
| | tee xcodebuild.log \ | ||
| | xcbeautify --quieter --is-ci --disable-colored-output | ||
| - name: Archive App | ||
| run: | | ||
| cd ios/DerivedData/Build/Products/Release-iphonesimulator | ||
| zip -r \ | ||
| ${{ github.workspace }}/${{ env.APP_ARCHIVE_PATH }} \ | ||
| sentry_react_native.app | ||
| - name: Upload APP | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: empower-plant-react-native-ios | ||
| path: ${{ env.APP_ARCHIVE_PATH }} | ||
| retention-days: 60 | ||
|
|
||
| - name: Upload logs | ||
| if: ${{ always() }} | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: build-ios-logs | ||
| path: ios/xcodebuild.log |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix the problem, you should add a permissions block to the workflow to explicitly restrict the GITHUB_TOKEN permissions to the minimum required. In this case, the workflow only needs to read repository contents (for actions/checkout) and upload artifacts (which does not require write access to repository contents). The recommended fix is to add permissions: contents: read at the root level of the workflow (above jobs:), which will apply to all jobs unless overridden. This change should be made at the top of the .github/workflows/build-ios.yml file, after the name: and before the on: block.
| @@ -1,2 +1,4 @@ | ||
| name: iOS | ||
| permissions: | ||
| contents: read | ||
|
|
| name: 'Build iOS' | ||
| uses: ./.github/workflows/build-ios.yml | ||
| secrets: inherit | ||
|
|
||
| - uses: ruby/setup-ruby@v1 | ||
| with: | ||
| ruby-version: '3.3.0' | ||
| bundler-cache: true # runs 'bundle install' and caches installed gems automatically | ||
|
|
||
| - working-directory: ios | ||
| run: bundle exec pod install | ||
|
|
||
| - name: Run xcodebuild | ||
| working-directory: ios | ||
| run: | | ||
| mkdir -p "DerivedData" | ||
| derivedData="$(cd "DerivedData" ; pwd -P)" | ||
| set -o pipefail && xcodebuild \ | ||
| -workspace sentry_react_native.xcworkspace \ | ||
| -configuration "Release" \ | ||
| -scheme sentry_react_native \ | ||
| -destination 'generic/platform=iOS Simulator' \ | ||
| -derivedDataPath "$derivedData" \ | ||
| build \ | ||
| | tee xcodebuild.log \ | ||
| | xcbeautify --quieter --is-ci --disable-colored-output | ||
| - name: Upload APP | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: empower-plant-react-native-ios | ||
| path: ios/DerivedData/Build/Products/Release-iphonesimulator/sentry_react_native.app | ||
| retention-days: 60 | ||
|
|
||
| - name: Upload logs | ||
| if: ${{ always() }} | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: build-ios-logs | ||
| path: ios/xcodebuild.log | ||
|
|
||
| run-ui-test-android: | ||
| name: UI Test Android | ||
| test: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix the problem, add a permissions block to the workflow file. This can be done at the top level (applies to all jobs) or at the job level (applies to individual jobs). Since none of the jobs in this workflow appear to require write access (they only call reusable workflows and run builds/tests), the safest minimal starting point is to set permissions: read-all at the workflow level. This restricts the GITHUB_TOKEN to read-only permissions for all scopes, adhering to the principle of least privilege. If any job or called workflow requires additional permissions, those can be added explicitly in the relevant workflow files.
What to change:
- Add the following block after the
name:line and beforeon:in.github/workflows/build.yml:permissions: read-all
- No other changes are needed unless a job requires more permissions, in which case those should be set in the called workflow files.
| @@ -1,2 +1,3 @@ | ||
| name: Build | ||
| permissions: read-all | ||
|
|
| name: 'Run UI Tests' | ||
| needs: build-android | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup KVM | ||
| shell: bash | ||
| run: | | ||
| # check if virtualization is supported... | ||
| sudo apt install -y --no-install-recommends cpu-checker coreutils && echo "CPUs=$(nproc --all)" && kvm-ok | ||
| # allow access to KVM to run the emulator | ||
| echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' \ | ||
| | sudo tee /etc/udev/rules.d/99-kvm4all.rules | ||
| sudo udevadm control --reload-rules | ||
| sudo udevadm trigger --name-match=kvm | ||
| - name: Download APK artifact | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: empower-plant-react-native-android | ||
|
|
||
| - name: Install Maestro | ||
| uses: dniHze/maestro-test-action@bda8a93211c86d0a05b7a4597c5ad134566fbde4 # [email protected] | ||
| with: | ||
| maestro-version: ${{env.MAESTRO_VERSION}} | ||
|
|
||
| - name: Run tests | ||
| uses: reactivecircus/android-emulator-runner@62dbb605bba737720e10b196cb4220d374026a6d # [email protected] | ||
| with: | ||
| api-level: 30 | ||
| force-avd-creation: false | ||
| disable-animations: true | ||
| disable-spellchecker: true | ||
| target: 'aosp_atd' | ||
| channel: canary # Necessary for ATDs | ||
| emulator-options: > | ||
| -no-window | ||
| -no-snapshot-save | ||
| -gpu swiftshader_indirect | ||
| -noaudio | ||
| -no-boot-anim | ||
| -camera-back none | ||
| -camera-front none | ||
| -timezone US/Pacific | ||
| script: | | ||
| adb install -r -d app-release.apk | ||
| maestro test maestro --debug-output maestro-logs --env=APP_ID=com.sentry_react_native | ||
| uses: ./.github/workflows/test.yml |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix the problem, you should add a permissions block to the workflow. The best way is to add it at the root level, so it applies to all jobs unless overridden. The minimal starting point is usually contents: read, which is sufficient for most build and test workflows that do not need to write to the repository or interact with issues or pull requests. If any job requires additional permissions, you can override the block at the job level. In this case, since all jobs use reusable workflows and there is no evidence that write permissions are needed, adding permissions: contents: read at the root of .github/workflows/build.yml (after the name: and before on:) is the best fix.
| @@ -1,2 +1,4 @@ | ||
| name: Build | ||
| permissions: | ||
| contents: read | ||
|
|
| runs-on: ubuntu-latest | ||
| name: 'Prepare Release' | ||
| steps: | ||
| - name: Set environment variables | ||
| run: | | ||
| echo "VERSION=${{ inputs.version }}" >> $GITHUB_ENV | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 18 | ||
| cache: 'npm' | ||
| cache-dependency-path: package-lock.json | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Bump Version | ||
| run: | | ||
| git config user.name getsentry-bot | ||
| git config user.email [email protected] | ||
| git checkout -b release/${{ env.VERSION }} | ||
| npm version ${{ env.VERSION }} | ||
| git tag --force ${{ env.VERSION }} -m ${{ env.VERSION }} | ||
| git push origin ${{ env.VERSION }} | ||
| git push origin release/${{ env.VERSION }} | ||
| build-android: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix the problem, add a permissions block at the top level of the workflow (recommended), or at the job level if different jobs require different permissions. The minimal starting point is contents: read, but some jobs (such as those pushing tags/branches or creating releases) require contents: write. The bump-version and publish-release jobs both perform git operations and create releases, so they require contents: write. The build-android and build-ios jobs only call reusable workflows and do not need elevated permissions, so they can inherit the default or be set to contents: read.
The best way to fix this is to add a permissions block at the workflow root, setting contents: write (since at least two jobs require it). If you want to be more restrictive, you could set contents: write only for the jobs that need it, and contents: read for the rest. For simplicity and clarity, adding at the workflow root is sufficient and safe for this workflow.
Change to make:
- Add the following at the top level of
.github/workflows/release.yml, after thenameand beforeonor afteron:permissions: contents: write
| @@ -1,2 +1,4 @@ | ||
| name: Release | ||
| permissions: | ||
| contents: write | ||
| on: |
| name: 'Build Android' | ||
| needs: [bump-version] | ||
| uses: ./.github/workflows/build-android.yml | ||
| secrets: inherit | ||
| with: | ||
| ref: release/${{ inputs.version }} | ||
|
|
||
| build-ios: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix the problem, you should add a permissions block to the workflow, either at the root level (to apply to all jobs) or to individual jobs as needed. The minimal starting point is to set contents: read, which allows jobs to read repository contents but not write. For jobs that require additional permissions (such as creating releases or pushing tags/branches), you should grant only the necessary write permissions (e.g., contents: write, pull-requests: write). In this case, since the workflow includes jobs that push tags/branches and create releases, those jobs will need contents: write and possibly pull-requests: write, while build jobs likely only need contents: read. The best way to fix this is to add a root-level permissions block with contents: read (as a safe default), and then override with more permissive settings for jobs that require them (e.g., bump-version and publish-release). The changes should be made at the top of the .github/workflows/release.yml file, and within the relevant jobs.
| @@ -8,2 +8,5 @@ | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| env: | ||
| @@ -17,2 +20,4 @@ | ||
| name: 'Prepare Release' | ||
| permissions: | ||
| contents: write | ||
| steps: | ||
| @@ -64,2 +69,4 @@ | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| env: |
| name: 'Build iOS' | ||
| needs: [bump-version] | ||
| uses: ./.github/workflows/build-ios.yml | ||
| secrets: inherit | ||
| with: | ||
| ref: release/${{ inputs.version }} | ||
|
|
||
| publish-release: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix the problem, you should add an explicit permissions block to the workflow. The best way is to add it at the top level of the workflow (just after the name: and on: blocks), so it applies to all jobs unless overridden. You should set the permissions to the minimum required for the workflow to function. Based on the jobs shown:
- The
bump-versionjob pushes tags and branches, so it needscontents: write. - The
publish-releasejob creates a release, so it needscontents: write. - The
build-androidandbuild-iosjobs use reusable workflows, so their permissions should be set in those workflows, but it's safe to set minimal permissions here.
A good minimal starting point is:
permissions:
contents: writeIf you know that only releases and pushes are needed, you can further restrict, but contents: write is the standard for workflows that push code or create releases.
Add the following block after the name: and before env: in .github/workflows/release.yml.
| @@ -8,2 +8,5 @@ | ||
|
|
||
| permissions: | ||
| contents: write | ||
|
|
||
| env: |
| name: 'Publish Release' | ||
| needs: [bump-version, build-android, build-ios] | ||
| runs-on: ubuntu-latest | ||
| env: | ||
| MERGE_TARGET: master | ||
| steps: | ||
| - name: Set environment variables | ||
| run: | | ||
| echo "VERSION=${{ inputs.version }}" >> $GITHUB_ENV | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 # fetch all history all branches and tags | ||
|
|
||
| - name: Download iOS App | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: empower-plant-react-native-ios | ||
|
|
||
| - name: Download Android APK | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: empower-plant-react-native-android | ||
|
|
||
| - name: Set GitHub user | ||
| run: | | ||
| git config user.name getsentry-bot | ||
| git config user.email [email protected] | ||
| - name: Create Release | ||
| run: | | ||
| gh release create \ | ||
| ${{ env.VERSION }} \ | ||
| ${{ env.APK_PATH }} \ | ||
| ${{ env.APP_ARCHIVE_PATH }} \ | ||
| --title ${{ env.VERSION }} \ | ||
| --notes "Release ${{ env.VERSION }}" \ | ||
| || error_exit "Failed to create GitHub release." | ||
| - name: Clean up Release Branch | ||
| run: | | ||
| git reset --hard | ||
| git checkout ${{ env.MERGE_TARGET }} | ||
| git push origin --delete release/${{ env.VERSION }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix the problem, you should add a permissions block to the workflow or to each job, specifying only the permissions required for the actions performed. For this workflow, the jobs that push tags/branches and create releases need contents: write, while jobs that only read code or artifacts may only need contents: read. The minimal fix is to add a permissions block at the workflow root, setting contents: write, or to each job as appropriate. Since the bump-version and publish-release jobs perform git pushes and create releases, they need contents: write. The build-android and build-ios jobs likely only need contents: read (assuming they do not push or create releases). The best fix is to add a workflow-level permissions block with contents: write, or, for stricter control, add job-level permissions blocks.
You should edit .github/workflows/release.yml to add the permissions block. The block should be placed at the top level (after name: and before on: or after on:), or within each job as needed.
| @@ -1,2 +1,4 @@ | ||
| name: Release | ||
| permissions: | ||
| contents: write | ||
| on: |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup KVM | ||
| shell: bash | ||
| run: | | ||
| # check if virtualization is supported... | ||
| sudo apt install -y --no-install-recommends cpu-checker coreutils && echo "CPUs=$(nproc --all)" && kvm-ok | ||
| # allow access to KVM to run the emulator | ||
| echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' \ | ||
| | sudo tee /etc/udev/rules.d/99-kvm4all.rules | ||
| sudo udevadm control --reload-rules | ||
| sudo udevadm trigger --name-match=kvm | ||
| - name: Download APK artifact | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: empower-plant-react-native-android | ||
|
|
||
| - name: Install Maestro | ||
| uses: dniHze/maestro-test-action@bda8a93211c86d0a05b7a4597c5ad134566fbde4 # [email protected] | ||
| with: | ||
| maestro-version: ${{env.MAESTRO_VERSION}} | ||
|
|
||
| - name: Run tests | ||
| uses: reactivecircus/android-emulator-runner@62dbb605bba737720e10b196cb4220d374026a6d # [email protected] | ||
| with: | ||
| api-level: 30 | ||
| force-avd-creation: false | ||
| disable-animations: true | ||
| disable-spellchecker: true | ||
| target: 'aosp_atd' | ||
| channel: canary # Necessary for ATDs | ||
| emulator-options: > | ||
| -no-window | ||
| -no-snapshot-save | ||
| -gpu swiftshader_indirect | ||
| -noaudio | ||
| -no-boot-anim | ||
| -camera-back none | ||
| -camera-front none | ||
| -timezone US/Pacific | ||
| script: | | ||
| adb install -r -d app-release.apk | ||
| maestro test maestro --debug-output maestro-logs --env=APP_ID=com.sentry_react_native |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix the problem, add a permissions block to the workflow to explicitly set the minimum required permissions for the GITHUB_TOKEN. Since the workflow appears to only need to download artifacts and check out code (no evidence of writing to the repository, creating issues, or making pull requests), the minimal permission required is likely contents: read. This can be set at the workflow level (applies to all jobs) or at the job level (applies only to the specified job). The best practice is to add it at the top level, just after the name and before on, to ensure all jobs inherit the least privilege unless otherwise specified.
Required change:
- Insert the following block after the
namefield and before theonfield in.github/workflows/test.yml:permissions: contents: read
No additional methods, imports, or definitions are needed.
| @@ -1,2 +1,4 @@ | ||
| name: UI Test Android | ||
| permissions: | ||
| contents: read | ||
|
|
2 participants
This reverts all changes made after commit 244d656