Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-22.04 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - uses: cachix/install-nix-action@v27 | ||
| with: | ||
| nix_path: nixpkgs=channel:nixos-unstable | ||
|
|
||
| - uses: cachix/cachix-action@v15 | ||
| with: | ||
| name: boundaryml | ||
| authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | ||
|
|
||
| - name: Build CLI | ||
| run: nix build .#baml-cli -L | ||
|
|
||
| - name: Build WASM | ||
| run: nix build .#baml-schema-wasm -L | ||
|
|
||
| nix-build-macos: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 29 days ago
In general, the fix is to explicitly define a permissions block for the workflow or individual jobs, granting only the minimal scopes required. In this workflow, the jobs just check out the repository and run Nix builds; they do not modify repository state or interact with issues/PRs, so contents: read at the workflow level is sufficient and is the recommended minimal starting point suggested by the warning.
The best fix with minimal functional impact is to add a top-level permissions block after the on: section (before concurrency: or jobs:). This will apply to both nix-build-linux and nix-build-macos jobs, and it sets GITHUB_TOKEN to read-only for repository contents. No additional imports or steps are needed; this is purely a YAML configuration change confined to .github/workflows/nix-build.yaml lines near the top of the file.
| @@ -5,6 +5,9 @@ | ||
| branches: [canary, greg/new-flake] | ||
| pull_request: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: nix-${{ github.ref }} | ||
| cancel-in-progress: true |
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - uses: cachix/install-nix-action@v27 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| with: | ||
| nix_path: nixpkgs=channel:nixos-unstable | ||
|
|
||
| - uses: cachix/cachix-action@v15 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| runs-on: macos-14 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - uses: cachix/install-nix-action@v27 | ||
| with: | ||
| nix_path: nixpkgs=channel:nixos-unstable | ||
|
|
||
| - uses: cachix/cachix-action@v15 | ||
| with: | ||
| name: boundaryml | ||
| authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | ||
|
|
||
| - name: Build CLI | ||
| run: nix build .#baml-cli -L | ||
|
|
||
| - name: Build WASM | ||
| run: nix build .#baml-schema-wasm -L |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 29 days ago
In general, the fix is to add an explicit permissions block to the workflow (at the top level so it applies to all jobs) specifying the least privilege needed. This workflow only checks out code and builds artifacts; it does not need to write to the repository or modify issues/PRs. The minimal safe set that matches CodeQL’s recommendation is contents: read. We add this under the root of the workflow, alongside on: and concurrency:, so that both nix-build-linux and nix-build-macos inherit these permissions without further changes. No additional imports or external dependencies are needed.
Concretely, in .github/workflows/nix-build.yaml, insert:
permissions:
contents: readafter the on: block (or before concurrency:). This keeps existing functionality unchanged while constraining the GITHUB_TOKEN.
| @@ -5,6 +5,9 @@ | ||
| branches: [canary, greg/new-flake] | ||
| pull_request: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: nix-${{ github.ref }} | ||
| cancel-in-progress: true |
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - uses: cachix/install-nix-action@v27 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| with: | ||
| nix_path: nixpkgs=channel:nixos-unstable | ||
|
|
||
| - uses: cachix/cachix-action@v15 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
imalsogreg
force-pushed
the
greg/new-flake
branch
from
00b7b42 to
d5afb19
Compare
imalsogreg
force-pushed
the
greg/new-flake
branch
from
d5afb19 to
68b8019
Compare
imalsogreg
force-pushed
the
greg/new-flake
branch
from
68b8019 to
eb0fea1
Compare
imalsogreg
force-pushed
the
greg/new-flake
branch
from
eb0fea1 to
047bce5
Compare
1 participant
No description provided.