Improve client list display and add ASCOM status tooltip #92
Conversation
…ost recent connection info
…port and improved caching
Enhance client list display and ASCOM status tooltip
github-actions
bot
changed the title
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Prepare Build Metadata | ||
| runs-on: ubuntu-latest | ||
| if: github.event_name != 'pull_request' | ||
| outputs: | ||
| should_release: ${{ steps.check_release.outputs.should_release }} | ||
| tag: ${{ steps.version.outputs.tag }} | ||
| branch: ${{ steps.version.outputs.branch }} | ||
| release_type: ${{ steps.version.outputs.release_type }} | ||
| docker_tag: ${{ steps.docker_tags.outputs.tag }} | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v3 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Login to Docker Hub | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ vars.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
|
||
| - name: Cache pip packages | ||
| # Skip cache for self-hosted runners (files persist locally) | ||
| if: ${{ runner.name != 'git01' }} | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: | | ||
| ~/.cache/pip | ||
| /root/.cache/pip | ||
| key: ${{ runner.os }}-pip-${{ hashFiles('requirements*.txt') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-pip- | ||
| - name: Determine Docker tags and cache | ||
| id: docker_tags | ||
| run: | | ||
| BRANCH_NAME="${GITHUB_REF#refs/heads/}" | ||
| if [ "$BRANCH_NAME" = "main" ]; then | ||
| echo "tag=latest" >> $GITHUB_OUTPUT | ||
| echo "cache_key=${{ runner.os }}-buildx-main-${{ github.sha }}" >> $GITHUB_OUTPUT | ||
| echo "cache_restore=${{ runner.os }}-buildx-main-" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "tag=dev" >> $GITHUB_OUTPUT | ||
| echo "cache_key=${{ runner.os }}-buildx-dev-${{ github.sha }}" >> $GITHUB_OUTPUT | ||
| echo "cache_restore=${{ runner.os }}-buildx-dev-" >> $GITHUB_OUTPUT | ||
| fi | ||
| - name: Cache Docker layers | ||
| # Skip GitHub Actions cache for self-hosted runners (files persist locally) | ||
| if: ${{ runner.name != 'git01' }} | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: /tmp/.buildx-cache | ||
| key: ${{ steps.docker_tags.outputs.cache_key }} | ||
| restore-keys: | | ||
| ${{ steps.docker_tags.outputs.cache_restore }} | ||
| ${{ runner.os }}-buildx- | ||
| - name: Determine if release should be created | ||
| id: check_release | ||
| run: | | ||
| # Create release on push to main or dev branch | ||
| if [ "${{ github.event_name }}" = "push" ]; then | ||
| echo "should_release=true" >> $GITHUB_OUTPUT | ||
| BRANCH_NAME="${GITHUB_REF#refs/heads/}" | ||
| if [ "$BRANCH_NAME" = "main" ]; then | ||
| echo "📦 Release will be created (push to main)" | ||
| else | ||
| echo "📦 Test release will be created (push to $BRANCH_NAME)" | ||
| fi | ||
| else | ||
| echo "should_release=false" >> $GITHUB_OUTPUT | ||
| echo "🔨 Build only (no release)" | ||
| fi | ||
| - name: Get version tag for release | ||
| id: version | ||
| if: steps.check_release.outputs.should_release == 'true' | ||
| run: | | ||
| # Fetch all tags to ensure we have complete tag history | ||
| git fetch --tags --force | ||
| # Determine branch-specific tag prefix | ||
| BRANCH_NAME="${GITHUB_REF#refs/heads/}" | ||
| echo "Branch: $BRANCH_NAME" | ||
| if [ "$BRANCH_NAME" = "main" ]; then | ||
| TAG_PREFIX="v" | ||
| TAG_PATTERN="v[0-9]*.[0-9]*" | ||
| RELEASE_TYPE="stable" | ||
| else | ||
| TAG_PREFIX="v-${BRANCH_NAME}-" | ||
| TAG_PATTERN="v-${BRANCH_NAME}-[0-9]*.[0-9]*" | ||
| RELEASE_TYPE="test" | ||
| fi | ||
| # Get all matching tags and find the highest version | ||
| echo "Looking for tags matching pattern: ${TAG_PATTERN}" | ||
| LATEST_TAG=$(git tag -l "${TAG_PATTERN}" | sort -V | tail -n1) | ||
| if [ -z "$LATEST_TAG" ]; then | ||
| # No existing tags, start at 0.1 | ||
| MAJOR=0 | ||
| MINOR=0 | ||
| echo "No existing tags found, starting at ${TAG_PREFIX}0.1" | ||
| else | ||
| echo "Latest tag: $LATEST_TAG" | ||
| # Extract version numbers (remove prefix first) | ||
| VERSION="${LATEST_TAG#${TAG_PREFIX}}" | ||
| IFS='.' read -ra PARTS <<< "$VERSION" | ||
| MAJOR=${PARTS[0]:-0} | ||
| MINOR=${PARTS[1]:-0} | ||
| echo "Current version: $MAJOR.$MINOR" | ||
| fi | ||
| # Increment minor version by 1 (0.1 increments) | ||
| MINOR=$((MINOR + 1)) | ||
| NEW_TAG="${TAG_PREFIX}${MAJOR}.${MINOR}" | ||
| # Ensure the new tag doesn't already exist (keep incrementing if it does) | ||
| ATTEMPTS=0 | ||
| while git rev-parse "$NEW_TAG" >/dev/null 2>&1; do | ||
| echo "⚠️ Tag $NEW_TAG already exists, incrementing..." | ||
| MINOR=$((MINOR + 1)) | ||
| NEW_TAG="${TAG_PREFIX}${MAJOR}.${MINOR}" | ||
| ATTEMPTS=$((ATTEMPTS + 1)) | ||
| if [ $ATTEMPTS -gt 100 ]; then | ||
| echo "❌ Error: Too many version increment attempts" | ||
| exit 1 | ||
| fi | ||
| done | ||
| echo "✅ New tag: $NEW_TAG" | ||
| echo "tag=$NEW_TAG" >> $GITHUB_OUTPUT | ||
| echo "release_type=$RELEASE_TYPE" >> $GITHUB_OUTPUT | ||
| echo "branch=$BRANCH_NAME" >> $GITHUB_OUTPUT | ||
| build: | ||
| name: Build ${{ matrix.platform_tag }} | ||
| needs: prepare | ||
| runs-on: ${{ matrix.runner }} | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| include: | ||
| - runner: git01 | ||
| platform: linux/amd64 | ||
| platform_tag: amd64 | ||
| - runner: gitpi01 | ||
| platform: linux/arm64 | ||
| platform_tag: arm64 | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Login to Docker Hub | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ vars.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
|
||
| - name: Set cache paths | ||
| run: | | ||
| echo "CACHE_PATH=${HOME}/.cache/buildx" >> $GITHUB_ENV | ||
| echo "CACHE_PATH_NEW=${HOME}/.cache/buildx-new" >> $GITHUB_ENV | ||
| - name: Cache Docker layers | ||
| # Skip GitHub Actions cache for self-hosted runners (files persist locally) | ||
| if: ${{ runner.name != 'git01' && runner.name != 'gitpi01' }} | ||
| uses: actions/cache@v4 | ||
| with: | ||
| # CHANGE: Use a path in the home directory, not /tmp | ||
| path: ~/.cache/buildx | ||
| key: ${{ runner.os }}-buildx-${{ github.ref_name }}-${{ github.sha }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-buildx-${{ github.ref_name }}- | ||
| ${{ runner.os }}-buildx- | ||
| - name: Build and push | ||
| uses: docker/build-push-action@v5 | ||
| with: | ||
| context: . | ||
| push: true | ||
| tags: ${{ vars.DOCKERHUB_USERNAME }}/simpleclouddetect:${{ steps.docker_tags.outputs.tag }} | ||
| cache-from: type=local,src=/tmp/.buildx-cache | ||
| # CHANGED: mode=min speeds up export by only caching final layers, avoiding massive I/O | ||
| cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=min | ||
| platforms: linux/amd64,linux/arm64 | ||
| # Push to a temporary tag specific to the architecture | ||
| tags: ${{ vars.DOCKERHUB_USERNAME }}/simpleclouddetect:${{ needs.prepare.outputs.docker_tag }}-${{ matrix.platform_tag }} | ||
| # Use persistent cache on self-hosted runner | ||
| cache-from: type=local,src=${{ env.CACHE_PATH }} | ||
| cache-to: type=local,dest=${{ env.CACHE_PATH_NEW }},mode=min | ||
| platforms: ${{ matrix.platform }} | ||
|
|
||
| - name: Move cache | ||
| if: always() | ||
| run: | | ||
| rm -rf /tmp/.buildx-cache | ||
| mv /tmp/.buildx-cache-new /tmp/.buildx-cache | ||
| rm -rf ${{ env.CACHE_PATH }} | ||
| mv ${{ env.CACHE_PATH_NEW }} ${{ env.CACHE_PATH }} | ||
| merge: | ||
| name: Merge Multi-Arch Image | ||
| needs: [prepare, build] | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Login to Docker Hub | ||
| uses: docker/login-action@v3 |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 days ago
In general, fix this by explicitly setting permissions: for the workflow or for individual jobs so that GITHUB_TOKEN has only the scopes needed. For a compute-only job like prepare, that typically means contents: read at most.
The safest single change that preserves existing behavior is to add a root-level permissions: block (applies to all jobs that don’t override it) with contents: read. None of the shown steps require write access to repository contents, issues, or pull requests—they only read the code, compute versions, and interact with Docker Hub using a separate secret. Adding the block near the top of .github/workflows/build-and-release.yml (after name: and before on:) keeps the workflow clear and conventional. No new imports or methods are needed; this is a pure YAML configuration change.
Concretely:
- Edit
.github/workflows/build-and-release.yml. - Insert:
between line 2 and line 3 (between
permissions: contents: read
name: Build and Releaseand theon:block).
This constrainsGITHUB_TOKENfor theprepare,build,merge, andreleasejobs (unless any of them already define their ownpermissions:blocks later in the file, which we must not assume or modify beyond the shown snippet).
| @@ -1,5 +1,8 @@ | ||
| name: Build and Release | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: |
| with: | ||
| username: ${{ vars.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Create and push manifest list | ||
| # Combines the amd64 and arm64 tags into the single tag (latest or dev) | ||
| run: | | ||
| docker buildx imagetools create -t ${{ vars.DOCKERHUB_USERNAME }}/simpleclouddetect:${{ needs.prepare.outputs.docker_tag }} \ | ||
| ${{ vars.DOCKERHUB_USERNAME }}/simpleclouddetect:${{ needs.prepare.outputs.docker_tag }}-amd64 \ | ||
| ${{ vars.DOCKERHUB_USERNAME }}/simpleclouddetect:${{ needs.prepare.outputs.docker_tag }}-arm64 | ||
| - name: Inspect image | ||
| run: | | ||
| docker buildx imagetools inspect ${{ vars.DOCKERHUB_USERNAME }}/simpleclouddetect:${{ needs.prepare.outputs.docker_tag }} | ||
| - name: Get image size | ||
| if: github.ref == 'refs/heads/dev' | ||
| run: | | ||
| docker pull ${{ vars.DOCKERHUB_USERNAME }}/simpleclouddetect:${{ needs.prepare.outputs.docker_tag }} | ||
| IMAGE_SIZE=$(docker images --format "{{.Size}}" ${{ vars.DOCKERHUB_USERNAME }}/simpleclouddetect:${{ needs.prepare.outputs.docker_tag }} | head -n1) | ||
| echo "Docker image size: $IMAGE_SIZE" | ||
| - name: Checkout repository | ||
| if: github.ref == 'refs/heads/main' | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Docker Hub Description | ||
| if: github.ref == 'refs/heads/main' | ||
| uses: peter-evans/dockerhub-description@v4 | ||
| with: | ||
| username: ${{ vars.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
| repository: ${{ vars.DOCKERHUB_USERNAME }}/simpleclouddetect | ||
| short-description: "ML-based cloud detection for AllSky cameras with MQTT and ASCOM Alpaca" | ||
| readme-filepath: ./readme.md | ||
|
|
||
| - name: Get image size | ||
| if: github.ref == 'refs/heads/dev' | ||
| run: | | ||
| docker pull ${{ vars.DOCKERHUB_USERNAME }}/simpleclouddetect:${{ steps.docker_tags.outputs.tag }} | ||
| IMAGE_SIZE=$(docker images --format "{{.Size}}" ${{ vars.DOCKERHUB_USERNAME }}/simpleclouddetect:${{ steps.docker_tags.outputs.tag }} | head -n1) | ||
| echo "Docker image size: $IMAGE_SIZE" | ||
|
|
||
| release: | ||
| needs: build | ||
| if: needs.build.outputs.should_release == 'true' | ||
| needs: [prepare, merge] | ||
| if: needs.prepare.outputs.should_release == 'true' | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Generate commit history | ||
| id: changelog | ||
| run: | | ||
| # Get the previous tag for this branch (excluding the tag we're about to create) | ||
| BRANCH_NAME="${{ needs.build.outputs.branch }}" | ||
| BRANCH_NAME="${{ needs.prepare.outputs.branch }}" | ||
| if [ "$BRANCH_NAME" = "main" ]; then | ||
| TAG_PREFIX="v" | ||
| TAG_PATTERN="${TAG_PREFIX}*" | ||
| else | ||
| TAG_PREFIX="v-${BRANCH_NAME}-" | ||
| TAG_PATTERN="${TAG_PREFIX}*" | ||
| fi | ||
| NEW_TAG="${{ needs.build.outputs.tag }}" | ||
| NEW_TAG="${{ needs.prepare.outputs.tag }}" | ||
| # Get all matching tags, exclude the new tag if it exists, and get the latest | ||
| # For main branch, also exclude dev tags (v-dev-*) to prevent incorrect comparisons | ||
| if [ "$BRANCH_NAME" = "main" ]; then | ||
| PREVIOUS_TAG=$(git tag -l "${TAG_PATTERN}" | grep -v "^${NEW_TAG}$" | grep -v "^v-.*-" | sort -V | tail -n1) | ||
| else | ||
| PREVIOUS_TAG=$(git tag -l "${TAG_PATTERN}" | grep -v "^${NEW_TAG}$" | sort -V | tail -n1) | ||
| fi | ||
| if [ -z "$PREVIOUS_TAG" ]; then | ||
| echo "No previous tag found, showing last 20 commits" | ||
| COMMITS=$(git log -20 --pretty=format:"- %s (%h)" --no-merges) | ||
| else | ||
| echo "Generating changelog from $PREVIOUS_TAG to HEAD" | ||
| COMMITS=$(git log ${PREVIOUS_TAG}..HEAD --pretty=format:"- %s (%h)" --no-merges) | ||
| # If no commits found, it means we're on the same commit | ||
| if [ -z "$COMMITS" ]; then | ||
| echo "No new commits since $PREVIOUS_TAG" | ||
| COMMITS="- No changes since previous release" | ||
| fi | ||
| fi | ||
| # Save to output using heredoc to handle multiline | ||
| echo "changelog<<EOF" >> $GITHUB_OUTPUT | ||
| echo "$COMMITS" >> $GITHUB_OUTPUT | ||
| echo "EOF" >> $GITHUB_OUTPUT | ||
| - name: Create and push tag | ||
| run: | | ||
| git config user.name "github-actions[bot]" | ||
| git config user.email "github-actions[bot]@users.noreply.github.com" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 days ago
To fix the problem, explicitly scope the GITHUB_TOKEN permissions so that jobs do not inherit potentially broad default permissions. The least privilege required here is for actions/checkout@v4, which only needs contents: read. No job in the shown snippet needs to write to the repository, manage issues, or modify PRs.
The best, minimal-impact fix is to add a permissions: block at the top (workflow) level, directly under name: Build and Release and before the on: key, with contents: read. This will apply to all jobs (prepare, build, merge, release, pr-commit-summary, etc.) that don’t override permissions locally, without changing any existing functionality. No new imports or dependencies are needed; this is a pure YAML configuration change.
Concretely:
- Edit
.github/workflows/build-and-release.yml. - Insert:
permissions:
contents: readafter line 1 (name: Build and Release) and before line 3 (on:).
No other lines in the file need to be changed.
| @@ -1,5 +1,8 @@ | ||
| name: Build and Release | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: |
| name: Build ${{ matrix.platform_tag }} | ||
| runs-on: ${{ matrix.runner }} | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| include: | ||
| - runner: git01 | ||
| platform: linux/amd64 | ||
| platform_tag: amd64 | ||
| - runner: gitpi01 | ||
| platform: linux/arm64 | ||
| platform_tag: arm64 | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: snd | ||
|
|
||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v3 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Login to Docker Hub | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ vars.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
|
||
| - name: Cache pip packages | ||
| # Skip cache for self-hosted runners (files persist locally) | ||
| if: ${{ runner.name != 'git01' }} | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: | | ||
| ~/.cache/pip | ||
| /root/.cache/pip | ||
| key: ${{ runner.os }}-pip-${{ hashFiles('requirements*.txt') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-pip- | ||
| - name: Set cache paths | ||
| run: | | ||
| echo "CACHE_PATH=${HOME}/.cache/buildx" >> $GITHUB_ENV | ||
| echo "CACHE_PATH_NEW=${HOME}/.cache/buildx-new" >> $GITHUB_ENV | ||
| - name: Cache Docker layers | ||
| # Skip GitHub Actions cache for self-hosted runners (files persist locally) | ||
| if: ${{ runner.name != 'git01' }} | ||
| if: ${{ runner.name != 'git01' && runner.name != 'gitpi01' }} | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: /tmp/.buildx-cache | ||
| key: ${{ runner.os }}-buildx-snd-${{ github.sha }} | ||
| # CHANGE: Use a path in the home directory, not /tmp | ||
| path: ~/.cache/buildx | ||
| key: ${{ runner.os }}-buildx-${{ github.ref_name }}-${{ github.sha }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-buildx-snd- | ||
| ${{ runner.os }}-buildx-${{ github.ref_name }}- | ||
| ${{ runner.os }}-buildx- | ||
| - name: Build and push | ||
| uses: docker/build-push-action@v5 | ||
| with: | ||
| context: . | ||
| push: true | ||
| tags: ${{ vars.DOCKERHUB_USERNAME }}/simpleclouddetect:snd | ||
| cache-from: type=local,src=/tmp/.buildx-cache | ||
| # OPTIMIZATION: Changed mode=max to mode=min to speed up export on self-hosted runners | ||
| cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=min | ||
| platforms: linux/amd64,linux/arm64 | ||
| # Push to a temporary tag specific to the architecture (e.g., :snd-arm64) | ||
| tags: ${{ vars.DOCKERHUB_USERNAME }}/simpleclouddetect:snd-${{ matrix.platform_tag }} | ||
| # Use persistent cache on self-hosted runner | ||
| cache-from: type=local,src=${{ env.CACHE_PATH }} | ||
| cache-to: type=local,dest=${{ env.CACHE_PATH_NEW }},mode=min | ||
| platforms: ${{ matrix.platform }} | ||
|
|
||
| - name: Move cache | ||
| if: always() | ||
| run: | | ||
| rm -rf /tmp/.buildx-cache | ||
| mv /tmp/.buildx-cache-new /tmp/.buildx-cache | ||
| rm -rf ${{ env.CACHE_PATH }} | ||
| mv ${{ env.CACHE_PATH_NEW }} ${{ env.CACHE_PATH }} | ||
| merge: | ||
| name: Merge Multi-Arch Image | ||
| needs: build |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 days ago
In general, the fix is to explicitly restrict the GITHUB_TOKEN permissions in the workflow to the minimal set required. Since this workflow only needs to checkout the repository and then interact with Docker Hub (using external credentials), the GITHUB_TOKEN only needs contents: read. No additional scopes (like pull-requests, issues, or packages) are required by the shown steps.
The best way to fix this without changing functionality is to add a top‑level permissions: block so that it applies to all jobs unless overridden. Insert it near the top of .github/workflows/snd.yml, after the name: (or after the on: block; any top‑level location is fine) and set it to contents: read. This will ensure GITHUB_TOKEN cannot modify repository contents or other resources while still allowing actions/checkout to function. No imports or additional definitions are needed in YAML.
Concretely: edit .github/workflows/snd.yml to add:
permissions:
contents: readat the top level of the workflow (e.g., between line 2 and line 3 in the provided snippet).
| @@ -1,5 +1,8 @@ | ||
| name: snd | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: |
.github/workflows/snd.yml
Outdated
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 days ago
In general, fix this by explicitly specifying a minimal permissions: block for the workflow or for each job, reducing GITHUB_TOKEN to read‑only access (or disabling unused scopes) while still allowing the current steps to succeed.
The best targeted fix here is to add a permissions: block at the workflow root level (just under name: or on:), so it applies to both build and merge jobs. None of the steps require write access to the repository; they only need to read the code (handled by actions/checkout) and use external Docker credentials. Therefore, we can set contents: read and disable everything else by using permissions: read-all. For maximum clarity and least privilege, we can explicitly use permissions: read-all, which is a valid shortcut meaning “all scopes read‑only”. This will satisfy CodeQL by explicitly constraining GITHUB_TOKEN while not changing the existing behavior of the jobs.
Concretely:
- Edit
.github/workflows/snd.yml. - Insert a
permissions: read-allblock near the top, after theon:block (or directly aftername:; both are valid, but we’ll put it afteron:to keep triggers and permissions grouped). - No imports or extra methods are needed; this is pure YAML configuration.
| @@ -8,6 +8,8 @@ | ||
| - '*.md' | ||
| - 'images/**' | ||
|
|
||
| permissions: read-all | ||
|
|
||
| jobs: | ||
| build: | ||
| name: Build ${{ matrix.platform_tag }} |
📋 Overview
This pull request enhances the user interface by improving the display of connected clients and adding an informative tooltip for ASCOM status. It modifies the client management logic to show unique clients by IP address with their most recent connection details. Additionally, a new tooltip provides explanations for the ASCOM status directly within the setup page.
🔄 Changes by Category
📊 Analyzed 6 commit(s) | 🕐 Updated: 2026-01-05T01:46:06.914Z | Generated by GitHub Actions