Update String-Ids-toObjectIds #529
Conversation
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 22.13.0 to 22.13.13. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [minimongo](https://github.com/mWater/minimongo) from 6.19.0 to 7.0.0. - [Changelog](https://github.com/mWater/minimongo/blob/master/CHANGELOG.md) - [Commits](https://github.com/mWater/minimongo/commits) --- updated-dependencies: - dependency-name: minimongo dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
…box into public-pit-reports
…/types/node-22.13.13 [npm]: Bump @types/node from 22.13.0 to 22.13.13
Public pit reports
…/minimongo-7.0.0 [npm]: Bump minimongo from 6.19.0 to 7.0.0
Signin method warning
Shuffles scouters.
…/react-chartjs-2-5.3.0 [npm]: Bump react-chartjs-2 from 5.2.0 to 5.3.0
Bumps [resend](https://github.com/resendlabs/resend-node) from 4.2.0 to 4.3.0. - [Release notes](https://github.com/resendlabs/resend-node/releases) - [Commits](resend/resend-node@v4.2.0...v4.3.0) --- updated-dependencies: - dependency-name: resend dependency-version: 4.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [bootstrap](https://github.com/twbs/bootstrap) from 5.3.3 to 5.3.5. - [Release notes](https://github.com/twbs/bootstrap/releases) - [Commits](twbs/bootstrap@v5.3.3...v5.3.5) --- updated-dependencies: - dependency-name: bootstrap dependency-version: 5.3.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@playwright/test](https://github.com/microsoft/playwright) from 1.51.1 to 1.52.0. - [Release notes](https://github.com/microsoft/playwright/releases) - [Commits](microsoft/playwright@v1.51.1...v1.52.0) --- updated-dependencies: - dependency-name: "@playwright/test" dependency-version: 1.52.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the npm_and_yarn group with 1 update: [formidable](https://github.com/node-formidable/formidable). Updates `formidable` from 3.5.2 to 3.5.4 - [Release notes](https://github.com/node-formidable/formidable/releases) - [Changelog](https://github.com/node-formidable/formidable/blob/master/CHANGELOG.md) - [Commits](https://github.com/node-formidable/formidable/commits) --- updated-dependencies: - dependency-name: formidable dependency-version: 3.5.4 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
…/npm_and_yarn-12fbce29b8 [npm]: Bump formidable from 3.5.2 to 3.5.4 in the npm_and_yarn group
…/playwright/test-1.52.0 [npm]: Bump @playwright/test from 1.51.1 to 1.52.0
…/bootstrap-5.3.5 [npm]: Bump bootstrap from 5.3.3 to 5.3.5
…/resend-4.3.0 [npm]: Bump resend from 4.2.0 to 4.3.0
Minor wording change on create team page
…-mongo-adapter Conform auth adapter to Mongo adapter
…-adapter-to-mongo-adapter Revert "Conform auth adapter to Mongo adapter"
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| timeout-minutes: 60 | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| # Make sure to require each shard in GitHub! | ||
| shardIndex: [1, 2, 3, 4] | ||
| shardTotal: [4] | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: lts/* | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Install Playwright browsers | ||
| run: npx playwright install --with-deps | ||
|
|
||
| - name: Start MongoDB | ||
| uses: supercharge/mongodb-github-action@1.12.0 | ||
| with: | ||
| mongodb-version: "8.0" | ||
|
|
||
| - name: Run Playwright tests | ||
| run: npx cross-env NODE_ENV=test playwright test --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }} | ||
|
|
||
| - name: Upload blob report to GitHub Actions Artifacts | ||
| if: ${{ !cancelled() }} | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: blob-report-${{ matrix.shardIndex }} | ||
| path: blob-report | ||
| retention-days: 1 | ||
|
|
||
| merge_reports: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
In general, this issue is fixed by explicitly setting the permissions for the GITHUB_TOKEN at the workflow or job level, instead of relying on organization/repository defaults. For test workflows like this one, contents: read is typically sufficient, as the workflow only checks out code and uses artifacts, and does not need to write to the repository, issues, or pull requests.
The best fix here, without changing existing functionality, is to add a permissions block at the top level of .github/workflows/e2e_test.yml, just below name: (or immediately after on:). This root-level permissions configuration will apply to all jobs (e2e_tests and merge_reports) since neither defines its own permissions. The minimal safe starting point per CodeQL’s suggestion is contents: read, which allows actions/checkout@v4 to function while avoiding unnecessary write access. No additional imports or methods are needed; only the YAML configuration is updated.
Concretely: in .github/workflows/e2e_test.yml, insert:
permissions:
contents: readnear the top of the file (e.g., after line 2), keeping indentation aligned with name: and on: keys.
| @@ -1,5 +1,7 @@ | ||
| name: Playwright Tests | ||
| on: [workflow_dispatch, workflow_call] | ||
| permissions: | ||
| contents: read | ||
| jobs: | ||
| e2e_tests: | ||
| timeout-minutes: 60 |
| if: ${{ !cancelled() }} | ||
| needs: [e2e_tests] | ||
|
|
||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: lts/* | ||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Download blob reports from GitHub Actions Artifacts | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| path: all-blob-reports | ||
| pattern: blob-report-* | ||
| merge-multiple: true | ||
|
|
||
| - name: Merge into HTML Report | ||
| run: npx playwright merge-reports --reporter html ./all-blob-reports | ||
|
|
||
| - name: Upload HTML report | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: html-report--attempt-${{ github.run_attempt }} | ||
| path: playwright-report | ||
| retention-days: 14 |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
In general, the fix is to explicitly declare a permissions block in the workflow so that the GITHUB_TOKEN used by jobs has only the minimal scopes required. For this workflow, the jobs check out the code (actions/checkout) and interact with artifacts (actions/upload-artifact, actions/download-artifact). These operations only require contents: read plus the default access that Actions grants for artifacts; no repository write or administrative permissions are needed.
The best minimal fix without changing functionality is to add a top-level permissions block so it applies to all jobs (e2e_tests and merge_reports). This should be placed near the top of .github/workflows/e2e_test.yml, after the on: block, and set contents: read. No other permission scopes appear necessary from the provided snippet. No imports or additional methods are needed; we only modify the YAML workflow definition.
Specifically: edit .github/workflows/e2e_test.yml to insert:
permissions:
contents: readbetween the existing on: [workflow_dispatch, workflow_call] line and the jobs: line. This constrains the GITHUB_TOKEN for all jobs in this workflow while preserving existing behavior.
| @@ -1,5 +1,7 @@ | ||
| name: Playwright Tests | ||
| on: [workflow_dispatch, workflow_call] | ||
| permissions: | ||
| contents: read | ||
| jobs: | ||
| e2e_tests: | ||
| timeout-minutes: 60 |
No description provided.