Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Install system dependencies | ||
| run: | | ||
| sudo apt-get update | ||
| sudo apt-get install -y \ | ||
| protobuf-compiler \ | ||
| libprotobuf-dev \ | ||
| libclang-dev \ | ||
| clang \ | ||
| cmake \ | ||
| build-essential | ||
|
|
||
| - name: Install Rust toolchain | ||
| uses: dtolnay/rust-toolchain@stable | ||
| with: | ||
| components: rustfmt, clippy | ||
|
|
||
| - name: Build node with release, fast-runtime, and metadata-hash | ||
| run: | | ||
| cargo build \ | ||
| --profile release \ | ||
| --features "fast-runtime metadata-hash pow-faucet" \ | ||
| -p node-subtensor | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: "24" | ||
|
|
||
| - name: Install start-nodes dependencies | ||
| working-directory: e2e/start-nodes | ||
| run: npm install | ||
|
|
||
| - name: Start validator nodes | ||
| working-directory: e2e/start-nodes | ||
| run: npx tsx main.ts | ||
|
|
||
| - name: Install polkadot-api for papi CLI | ||
| working-directory: e2e | ||
| run: npm install | ||
|
|
||
| - name: Generate PAPI descriptors from running node | ||
| working-directory: e2e | ||
| run: | | ||
| rm -rf .papi | ||
| npx papi add devnet -w ws://localhost:9944 | ||
|
|
||
| - name: Install shared dependencies | ||
| working-directory: e2e/shared | ||
| run: npm install | ||
|
|
||
| - name: Install staking-tests dependencies | ||
| working-directory: e2e/staking-tests | ||
| run: npm install | ||
|
|
||
| - name: Run staking tests | ||
| working-directory: e2e/staking-tests | ||
| run: npm test |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
The fix is to explicitly restrict the GITHUB_TOKEN permissions for this workflow to the minimum needed. The job only needs to read the repository contents (for actions/checkout@v4); it does not create releases, push commits, open issues, or modify PRs. Therefore, we can safely set contents: read either at the workflow root (applying to all jobs) or on the e2e-tests job itself. To keep the change minimal and clear, add a top-level permissions: block just after the on: block.
Concretely, in .github/workflows/e2e.yml, insert:
permissions:
contents: readbetween the on: section and the concurrency: section (after line 5, before line 6 in the provided snippet). No additional imports or methods are needed, as this is purely a YAML configuration change.
| @@ -3,6 +3,9 @@ | ||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: e2e-${{ github.ref }} | ||
| cancel-in-progress: true |
1 participant
Description
This PR contains an example of E2E workflow for subtensor.
Content
mochatest (add_stake).Comment
The PR uses TS code from our
check-node-compatworkflow to manage nodes, polkadot api to generate typed metadata from the current runtime version similar to our currentcontract-testspackage.