Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .GIT_QUICKOPS_CONFIG
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{
"commitPrefix": "[{{branch}}] resolves #{{ticket}}: ",
"requireTests": "disabled"
"requireTests": "prevent"
}
4 changes: 4 additions & 0 deletions .GIT_QUICKOPS_CONFIG.example
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"prefix": "{{ticket}}",
"requireTests": "prevent"
}
133 changes: 133 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
name: CI Build and Test

on:
push:
branches: [ main, dev ]
pull_request:
branches: [ main, dev ]
workflow_dispatch:

jobs:
build:
name: Build and Test
runs-on: ${{ matrix.os }}

strategy:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
node-version: [18.x, 20.x]

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Setup Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'

- name: Install dependencies
run: npm ci

- name: Lint code
run: npm run lint

- name: Compile TypeScript
run: npm run compile

- name: Run build test
run: npm run test:build
Comment on lines +39 to +40
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (performance): Reduce duplicate compilation work in CI by reusing the existing compile step.

This job already runs npm run compile, and test:build also calls npm run compile, so each build compiles twice. Consider either removing the explicit Compile TypeScript step and relying on test:build, or updating test:build to assume compilation has already happened in CI and dropping its internal npm run compile.


- name: Package extension
run: npx @vscode/vsce package

- name: Upload VSIX artifact
uses: actions/upload-artifact@v4
if: matrix.os == 'ubuntu-latest' && matrix.node-version == '20.x'
with:
name: git-quickops-vsix
path: '*.vsix'
retention-days: 7

- name: Run integration tests (Ubuntu)
if: runner.os == 'Linux'
run: xvfb-run -a npm run test:integration

- name: Run integration tests (macOS)
if: runner.os == 'macOS'
run: npm run test:integration

- name: Run integration tests (Windows)
if: runner.os == 'Windows'
run: npm run test:integration

lint-check:
Comment on lines +12 to +65

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 1 day ago

In general, to fix this issue you should explicitly set permissions for the workflow or individual jobs so that the GITHUB_TOKEN has only the minimal privileges required. For a typical CI workflow that just checks out code, installs dependencies, runs tests, and uploads artifacts, contents: read at the workflow level is usually sufficient. Additional scopes are only needed if the workflow writes to PRs, issues, releases, etc.

For this specific workflow, none of the jobs (build, lint-check, validate-package) perform write operations against the repository or GitHub’s APIs; they only read source code and push artifacts to the Actions storage (which does not use contents: write). Therefore, the single best fix is to add a root-level permissions block setting contents: read so it applies to all jobs. This keeps existing functionality unchanged while constraining the token.

Concretely:

  • Edit .github/workflows/ci.yml.
  • Insert a permissions: block after the name: and before on::
    name: CI Build and Test
    
    permissions:
      contents: read
    
    on:
      ...
  • No job-level permissions are necessary unless you later add steps that require broader access.

No extra imports or methods are needed; this is purely a YAML configuration change.


Suggested changeset 1
.github/workflows/ci.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,8 @@
 name: CI Build and Test
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ main, dev ]
EOF
@@ -1,5 +1,8 @@
name: CI Build and Test

permissions:
contents: read

on:
push:
branches: [ main, dev ]
Copilot is powered by AI and may make mistakes. Always verify output.
name: Lint and Format Check
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20.x'
cache: 'npm'

- name: Install dependencies
run: npm ci

- name: Run ESLint
run: npm run lint

- name: Check TypeScript compilation
run: npm run compile

validate-package:
Comment on lines +66 to +88

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 1 day ago

In general, the fix is to explicitly restrict GITHUB_TOKEN permissions using a permissions: block, either at the workflow root (affecting all jobs) or per job, granting only the scopes needed (typically contents: read for this kind of CI workflow). Since none of the jobs performs write operations to the repository or uses APIs that require elevated scopes, we can add a minimal permissions: block at the workflow root so all jobs inherit it.

The single best fix here is to add a root-level permissions: block right after the name: (or on:) section in .github/workflows/ci.yml, specifying contents: read. This applies to all jobs (build, lint-check, validate-package) without altering their behavior because they only read repository contents. No changes are necessary inside individual jobs, and no additional libraries or steps are required.

Concretely, in .github/workflows/ci.yml, between line 2 (blank) and line 3 (on:), insert:

permissions:
  contents: read

This ensures that the GITHUB_TOKEN has read-only access to repository contents for the entire workflow, satisfying the CodeQL recommendation while preserving existing functionality.

Suggested changeset 1
.github/workflows/ci.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,8 @@
 name: CI Build and Test
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ main, dev ]
EOF
@@ -1,5 +1,8 @@
name: CI Build and Test

permissions:
contents: read

on:
push:
branches: [ main, dev ]
Copilot is powered by AI and may make mistakes. Always verify output.
name: Validate Package
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20.x'
cache: 'npm'

- name: Install dependencies
run: npm ci

- name: Validate package.json
run: |
node -e "const pkg = require('./package.json'); console.log('Package validation passed');"

- name: Check for missing fields
run: |
node -e "
const pkg = require('./package.json');
const required = ['name', 'displayName', 'version', 'publisher', 'engines', 'categories', 'main'];
const missing = required.filter(f => !pkg[f]);
if (missing.length) {
console.error('Missing required fields:', missing);
process.exit(1);
}
console.log('All required fields present');
"

- name: Compile and package
run: |
npm run compile
npx @vscode/vsce package --no-dependencies

- name: Verify VSIX creation
run: |
if [ ! -f *.vsix ]; then
echo "VSIX file was not created"
exit 1
fi
echo "VSIX file created successfully"
Comment on lines +89 to +133

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 1 day ago

In general, the fix is to explicitly declare a permissions block that restricts the GITHUB_TOKEN to the least privileges needed. Since this workflow only checks out code, installs dependencies, runs linting/testing, and packages artifacts, it only needs read access to repository contents. It does not need to write to contents, issues, pull requests, or other scopes.

The best fix, without changing functionality, is to add a single top-level permissions block (at the root of .github/workflows/ci.yml, alongside name and on). This will apply to all jobs (build, lint-check, and validate-package) uniformly. Set it to contents: read, which is the minimal scope required for actions/checkout@v4 to read the repository. No job appears to need any write permissions or additional scopes (such as packages, pull-requests, or statuses), and none of the used third-party actions require elevated permissions for their normal operation here.

Concretely:

  • Edit .github/workflows/ci.yml.
  • Insert a permissions: section after the name: CI Build and Test line and before the on: block.
  • Set the permissions to:
    permissions:
      contents: read

No additional methods, imports, or definitions are needed, and no steps need modification.

Suggested changeset 1
.github/workflows/ci.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,8 @@
 name: CI Build and Test
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ main, dev ]
EOF
@@ -1,5 +1,8 @@
name: CI Build and Test

permissions:
contents: read

on:
push:
branches: [ main, dev ]
Copilot is powered by AI and may make mistakes. Always verify output.
7 changes: 7 additions & 0 deletions .mocharc.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"require": ["source-map-support/register"],
"ui": "tdd",
"color": true,
"timeout": 10000,
"slow": 5000
}
Loading
Loading