Open
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
25
to
88
| runs-on: ubuntu-latest | ||
| timeout-minutes: 25 | ||
|
|
||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | ||
|
|
||
| - name: Set up Go | ||
| uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | ||
| with: | ||
| go-version-file: go.mod | ||
|
|
||
| - name: Install k3d | ||
| run: | | ||
| curl -s https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | bash | ||
|
|
||
| - name: Install helmfile + helm-diff | ||
| run: | | ||
| curl -fsSL https://github.com/helmfile/helmfile/releases/download/v1.2.3/helmfile_1.2.3_linux_amd64.tar.gz \ | ||
| | tar -xzC /usr/local/bin helmfile | ||
| helm plugin install https://github.com/databus23/helm-diff --version v3.14.1 | ||
|
|
||
| - name: Build obol binary | ||
| run: | | ||
| mkdir -p .workspace/bin | ||
| go build -o .workspace/bin/obol ./cmd/obol | ||
|
|
||
| - name: Start cluster | ||
| run: | | ||
| .workspace/bin/obol stack init | ||
| .workspace/bin/obol stack up | ||
| # Wait for default infrastructure to settle. | ||
| sleep 30 | ||
| .workspace/bin/obol kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=traefik -n traefik --timeout=120s || true | ||
| .workspace/bin/obol kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=erpc -n erpc --timeout=120s || true | ||
|
|
||
| - name: Run wallet E2E test | ||
| env: | ||
| ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} | ||
| HOODI_FUNDER_PRIVATE_KEY: ${{ secrets.HOODI_FUNDER_PRIVATE_KEY }} | ||
| run: | | ||
| go test -tags integration -v -run 'TestIntegration_WalletE2E' \ | ||
| -timeout 20m ./internal/openclaw/ | ||
|
|
||
| - name: Collect logs on failure | ||
| if: failure() | ||
| run: | | ||
| echo "=== Pod status ===" | ||
| .workspace/bin/obol kubectl get pods -A || true | ||
| echo "" | ||
| echo "=== Events ===" | ||
| .workspace/bin/obol kubectl get events -A --sort-by='.lastTimestamp' | tail -50 || true | ||
| echo "" | ||
| echo "=== OpenClaw logs ===" | ||
| .workspace/bin/obol kubectl logs -n openclaw-test-wallet-e2e deploy/openclaw -c openclaw --tail=50 || true | ||
| echo "" | ||
| echo "=== Remote-signer logs ===" | ||
| .workspace/bin/obol kubectl logs -n openclaw-test-wallet-e2e deploy/remote-signer --tail=50 || true | ||
|
|
||
| - name: Tear down cluster | ||
| if: always() | ||
| run: | | ||
| .workspace/bin/obol stack down || true | ||
| .workspace/bin/obol stack purge -f || true |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 14 hours ago
In general, fix this class of issue by explicitly declaring a permissions: block that grants only the minimal required scopes, either at the workflow root (applies to all jobs) or for each job individually. For a typical test-only workflow that just checks out code and runs tests, contents: read is sufficient.
For this specific file .github/workflows/wallet-e2e.yml, the best fix without changing functionality is:
- Add a workflow-level
permissions:block after theon:section (or beforejobs:) withcontents: read. - This ensures the
wallet-e2ejob has a read-onlyGITHUB_TOKEN, which is enough foractions/checkoutand any implicit token use. - No steps in this snippet need write access (no pushes, issue/PR mutations, or releases), so we do not grant any
writescopes.
Concretely:
-
Insert:
permissions: contents: read
between the
on:block (ending at line 20) and theenv:block (starting at line 22). No imports or additional definitions are required.
Suggested changeset
1
.github/workflows/wallet-e2e.yml
| @@ -19,6 +19,9 @@ | ||
| # Weekly on Monday at 07:00 UTC — catch regressions without burning credits daily. | ||
| - cron: '0 7 * * 1' | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| env: | ||
| OBOL_CONFIG_DIR: ${{ github.workspace }}/.workspace/config | ||
| OBOL_BIN_DIR: ${{ github.workspace }}/.workspace/bin |
Copilot is powered by AI and may make mistakes. Always verify output.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Need to test the action next