Use reusable codecoverage workflow and add Playwright #10
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| outputs: | ||
| repository-name: ${{ steps.repo-name.outputs.name }} | ||
| steps: | ||
| - name: Extract repository name | ||
| id: repo-name | ||
| run: echo "name=$(echo ${{ github.repository }} | cut -d'/' -f2)" >> $GITHUB_OUTPUT | ||
|
|
||
| codecoverage: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 4 hours ago
In general, the fix is to explicitly define a restrictive permissions block for all jobs that use the default GITHUB_TOKEN, rather than relying on repository/organization defaults. For this workflow, the minimal safe choice is to add permissions: contents: read to the get-repo-name job, since it only needs to read repository metadata and does not appear to write anything. The codecoverage job already has an explicit permissions block, so no change is required there.
Concretely, in .github/workflows/codecoverage-main.yml, under the get-repo-name job (lines 17–24), insert a permissions: section after runs-on: ubuntu-latest giving it contents: read. This constrains the GITHUB_TOKEN used in that job to read‑only repository contents, aligning with the principle of least privilege without changing the job’s behavior. No imports or additional definitions are needed, as this is purely a YAML configuration change.
| @@ -16,6 +16,8 @@ | ||
| jobs: | ||
| get-repo-name: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| repository-name: ${{ steps.repo-name.outputs.name }} | ||
| steps: |
Summary
Adds reusable codecoverage workflow (was missing) and Playwright E2E; removes Cypress where applicable.
Changes
codecoverage-main.yml.brand-plugin-test-playwright.yml(where applicable).brand-plugin-test.yml(where applicable).Benefits