Conversation
Fix test and CI failures by correcting the HOST port in Bruno test environment and collection files from localhost:3001 to localhost:3000 to match the actual server port. - Updated HOST variable in both Local environment files - Updated HOST variable in both collection files - Removed outdated Newman HTML report upload from deploy workflow - Added bruno-reports directory to .gitignore - Fixed ESLint error in test.js (removed unused _err variable) All tests now pass: 17 requests, 98 assertions (GPlayAPIUnitTests: 5/5 requests, 28/28 tests; GooglePlayAPI: 12/12 requests, 70/70 tests)
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 22 | ||
|
|
||
| - name: Check out repository code and Install | ||
| uses: actions/checkout@v4 | ||
| - run: npm install | ||
| - run: npm run generateoas | ||
| - run: npm start & npx wait-on http://localhost:3000 | ||
| - run: npm test |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 20 days ago
In general, to fix this issue you should add an explicit permissions: block either at the workflow root (applies to all jobs) or within the specific job, granting only the minimal scopes required. For workflows that only need to check out code and run tests, contents: read is typically sufficient.
For this workflow, the bruno job checks out the repo and runs npm commands locally; there are no steps that need to push commits, create releases, or otherwise write to the repository via the GITHUB_TOKEN. The safest and simplest fix is to add permissions: contents: read at the workflow root, just under the name: line (or under on:), so all jobs—including bruno—run with read-only access to repository contents. This change does not alter the functional behavior of the steps, only the token’s permissions.
Concretely, edit .github/workflows/bruno.yml and insert:
permissions:
contents: readnear the top of the file (for example between name: Bruno Run and on:). No additional imports or methods are needed; this is purely a YAML configuration change.
| @@ -1,5 +1,8 @@ | ||
| name: Bruno Run | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| push: |
Replace postman-to-openapi (Node <20) with @scalar/postman-to-openapi (Node >=20) to fix CI install warnings. Also add husky to devDependencies and remove deprecated eslint-plugin-standard. - Replace postman-to-openapi with @scalar/postman-to-openapi - Add husky@9.1.7 to devDependencies - Remove deprecated eslint-plugin-standard - Create scripts/generate-openapi.js using @scalar/postman-to-openapi convert API - Update generateoas script to use new converter - All tests pass (17 requests, 98 assertions)
Remove the prepare script that was trying to run 'husky install', which is deprecated in husky 9.x. The .husky/ directory and pre-commit hooks are already configured and work correctly. - Remove 'prepare' script from package.json - Husky 9.x doesn't need 'husky install' command - Hooks in .husky/ directory work without prepare script - CI installs now complete without husky errors
1 participant
No description provided.