Add Registries and its metadata creation part#18
Conversation
…dp/furl-cli into feature/registries
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Build APT package | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Install Rust toolchain | ||
| uses: actions-rs/toolchain@v1 | ||
| with: | ||
| toolchain: stable | ||
| profile: minimal | ||
| override: true | ||
|
|
||
| - name: Install Debian packaging tools | ||
| run: | | ||
| sudo apt-get update | ||
| sudo apt-get install -y --no-install-recommends \ | ||
| debhelper \ | ||
| devscripts \ | ||
| pkg-config | ||
|
|
||
| - name: Build Debian package | ||
| run: | | ||
| cd registries/apt | ||
| dpkg-buildpackage -us -uc -b | ||
|
|
||
| - name: Collect Debian artifacts | ||
| run: | | ||
| mkdir -p artifacts/apt | ||
| find registries -maxdepth 1 -type f -name "*.deb" -exec cp {} artifacts/apt/ \; | ||
|
|
||
| - name: Upload Debian artifacts | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: apt-package | ||
| path: artifacts/apt/*.deb | ||
|
|
||
| build_flatpak: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 23 days ago
In general, the fix is to define an explicit permissions: block that grants only the minimal required scopes for the GITHUB_TOKEN, either at the workflow root (applies to all jobs) or per job. Since neither job needs to modify repository contents, a restrictive root‑level block such as permissions: { contents: read } is appropriate; the jobs use actions/checkout and actions/upload-artifact, both of which work with contents: read and do not require write access.
The best fix here without changing existing functionality is to add a single permissions: block at the top level of .github/workflows/package-registries.yml, between on: and env: (or directly under name: / on:), setting contents: read. No job appears to need any additional scopes (packages, pull-requests, etc.), and there are no GitHub API calls that would require broader access. This single block will satisfy CodeQL, document the required permissions, and ensure that if the repo/org defaults change, this workflow continues to run with only read access to repository contents.
Concretely, edit .github/workflows/package-registries.yml to insert:
permissions:
contents: readjust after the on: block (line 5), leaving the rest of the workflow unchanged.
| @@ -3,6 +3,9 @@ | ||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| env: | ||
| CARGO_TERM_COLOR: always | ||
|
|
| name: Build Flatpak bundle | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Install Flatpak tools | ||
| run: | | ||
| sudo apt-get update | ||
| sudo apt-get install -y --no-install-recommends \ | ||
| flatpak \ | ||
| flatpak-builder \ | ||
| curl | ||
|
|
||
| - name: Install Flatpak runtimes | ||
| run: | | ||
| flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo | ||
| flatpak install -y flathub org.freedesktop.Platform//24.08 org.freedesktop.Sdk//24.08 | ||
|
|
||
| - name: Resolve source SHA when placeholder is present | ||
| run: | | ||
| manifest="registries/flatpak/io.github.ghimiresdp.furl.yml" | ||
| if grep -q "REPLACE_WITH_ACTUAL_SHA256" "$manifest"; then | ||
| url=$(grep -E "^[[:space:]]*url:" "$manifest" | head -n 1 | sed -E "s/^[[:space:]]*url:[[:space:]]*//") | ||
| curl -L "$url" -o /tmp/furl-source.tar.gz | ||
| sha=$(sha256sum /tmp/furl-source.tar.gz | awk '{print $1}') | ||
| sed -i "s/REPLACE_WITH_ACTUAL_SHA256/$sha/" "$manifest" | ||
| fi | ||
|
|
||
| - name: Build Flatpak repo and bundle | ||
| run: | | ||
| mkdir -p artifacts/flatpak | ||
| flatpak-builder --force-clean --repo=flatpak-repo flatpak-build registries/flatpak/io.github.ghimiresdp.furl.yml | ||
| flatpak build-bundle flatpak-repo artifacts/flatpak/io.github.ghimiresdp.furl.flatpak io.github.ghimiresdp.furl | ||
|
|
||
| - name: Upload Flatpak artifacts | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: flatpak-bundle | ||
| path: artifacts/flatpak/*.flatpak |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 23 days ago
In general, fix this by explicitly setting a restricted permissions block for the workflow (applies to all jobs) or for each job individually. For this workflow, both jobs only need to read repository contents (for checkout) and upload artifacts (which does not require repo write permissions), so we can safely restrict the GITHUB_TOKEN to contents: read at the top level. This documents the intended permissions and prevents the token from obtaining broader rights if repo/org defaults change or the workflow is copied elsewhere.
The best minimal fix without changing functionality is to add a root-level permissions: section beneath the on: block in .github/workflows/package-registries.yml, with contents: read. This will apply to both build_apt and build_flatpak jobs since neither defines its own permissions block. No other changes, imports, or YAML restructuring are necessary.
| @@ -3,6 +3,9 @@ | ||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| env: | ||
| CARGO_TERM_COLOR: always | ||
|
|
2 participants
Description
Type of Change
Checklist
cargo fmtto ensure consistent code style.cargo testand all tests passed.README.md(if applicable).Performance Impact