Dev #62
Dev #62
Conversation
…n server case, need to discuss more
… updates, Prevented auth middleware panic by returning Poll::Pending if the mutex is busy.Increased heartbeat wait timeout to align with long-polling. Left the duplicate Casbin migration as a no-op to avoid conflicts. Added a rule to casbin for public registration of agent(testing purpose)
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 9658888 | Triggered | Generic Password | 8d1b8d5 | .github/workflows/rust.yml | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
conflict fix
| name: Build binaries (Linux/macOS) | ||
| env: | ||
| SQLX_OFFLINE: true | ||
| strategy: | ||
| matrix: | ||
| include: | ||
| - os: ubuntu-latest | ||
| target: x86_64-unknown-linux-gnu | ||
| artifact_name: stacker-linux-x86_64 | ||
| - os: macos-latest | ||
| target: x86_64-apple-darwin | ||
| artifact_name: stacker-macos-x86_64 | ||
| - os: macos-latest | ||
| target: aarch64-apple-darwin | ||
| artifact_name: stacker-macos-aarch64 | ||
| runs-on: ${{ matrix.os }} | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| - name: Build | ||
| run: cargo build --verbose | ||
| - name: Run tests | ||
| run: cargo test --verbose | ||
| - uses: actions/checkout@v4 | ||
| - name: Verify .sqlx cache exists | ||
| run: | | ||
| ls -lh .sqlx/ || echo ".sqlx directory not found" | ||
| find .sqlx -type f 2>/dev/null | wc -l | ||
| - name: Install Rust toolchain | ||
| uses: actions-rs/toolchain@v1 | ||
| with: | ||
| toolchain: stable | ||
| target: ${{ matrix.target }} | ||
| override: true | ||
| - name: Cache cargo registry | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: ~/.cargo/registry | ||
| key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-cargo-registry- | ||
| - name: Cache cargo index | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: ~/.cargo/git | ||
| key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-cargo-index- | ||
| - name: Cache target directory | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: target | ||
| key: ${{ runner.os }}-target-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-target-${{ matrix.target }}- | ||
| - name: Build server (release) | ||
| run: cargo build --release --target ${{ matrix.target }} --bin server --verbose | ||
|
|
||
| - name: Build console (release with features) | ||
| run: cargo build --release --target ${{ matrix.target }} --bin console --features explain --verbose | ||
| - name: Prepare binaries | ||
| run: | | ||
| mkdir -p artifacts | ||
| cp target/${{ matrix.target }}/release/server artifacts/server | ||
| cp target/${{ matrix.target }}/release/console artifacts/console | ||
| tar -czf ${{ matrix.artifact_name }}.tar.gz -C artifacts . | ||
| - name: Upload binaries | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: ${{ matrix.artifact_name }} | ||
| path: ${{ matrix.artifact_name }}.tar.gz | ||
| retention-days: 7 |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 7 hours ago
To fix the issue, we should explicitly declare the permissions for the GITHUB_TOKEN used by this workflow and restrict them to the minimum required. This workflow only needs to read repository contents to build and upload artifacts, so contents: read is sufficient. We can set permissions at the workflow root so it applies to all jobs (currently only build), or directly under the build job. Root-level is cleaner and recommended.
Concretely, in .github/workflows/rust.yml, add a permissions: block near the top, after name: Rust and before on:. Set it to:
permissions:
contents: readNo additional imports or dependencies are required, and this does not alter any existing build behavior. It only constrains what the automatically provided GITHUB_TOKEN can do.
| @@ -1,5 +1,8 @@ | ||
| name: Rust | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: [ dev, main ] |
No description provided.