From d92c6ba91295c098db0b7dddb107ed6489031738 Mon Sep 17 00:00:00 2001 From: purwaren Date: Fri, 20 Mar 2026 10:09:50 +0700 Subject: [PATCH 1/2] Clean up GitHub workflow token usage --- .github/workflows/build.yml | 3 ++- .github/workflows/ci.yml | 10 +++++++--- .github/workflows/generate-pot-file.yml | 3 ++- .github/workflows/linters.yml | 7 +++++-- .github/workflows/make_release_pr.yml | 6 +++++- .github/workflows/on_release.yml | 12 +++++++++--- .github/workflows/release_notes.yml | 6 +++--- .github/workflows/semantic.yml | 5 ++++- .github/workflows/ui-tests.yml | 24 +++++++++++++++--------- memory-bank/activeContext.md | 4 ++++ memory-bank/progress.md | 4 ++++ 11 files changed, 60 insertions(+), 24 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8d893da607..38d0aa6671 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -14,6 +14,7 @@ jobs: arch: [amd64] permissions: + contents: read packages: write steps: @@ -32,7 +33,7 @@ jobs: with: registry: ghcr.io username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + password: ${{ github.token }} # Build from this repo and ref so the image contains the code being built. # For tags like v1.0, image tag is 1.0 (without the leading v). diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 66d9b00ae6..9832c73469 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,10 @@ on: - develop - main-hotfix pull_request: {} + +permissions: + contents: read + jobs: tests: name: Server Tests @@ -33,7 +37,7 @@ jobs: MYSQL_ROOT_PASSWORD: root options: --health-cmd="mysqladmin ping" --health-interval=5s --health-timeout=2s --health-retries=3 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: setup python uses: actions/setup-python@v6 with: @@ -100,7 +104,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Clone - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Download artifacts uses: actions/download-artifact@v4 @@ -111,4 +115,4 @@ jobs: name: Server token: ${{ secrets.CODECOV_TOKEN }} fail_ci_if_error: true - verbose: true \ No newline at end of file + verbose: true diff --git a/.github/workflows/generate-pot-file.yml b/.github/workflows/generate-pot-file.yml index eea3e93a88..e3fdac6142 100644 --- a/.github/workflows/generate-pot-file.yml +++ b/.github/workflows/generate-pot-file.yml @@ -14,6 +14,7 @@ jobs: branch: ["develop"] permissions: contents: write + pull-requests: write steps: - name: Checkout @@ -35,5 +36,5 @@ jobs: run: | bash ${GITHUB_WORKSPACE}/.github/helper/update_pot_file.sh env: - GH_TOKEN: ${{ secrets.RELEASE_TOKEN }} + GH_TOKEN: ${{ github.token }} BASE_BRANCH: ${{ matrix.branch }} diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml index 06b29eb764..31cb37fcef 100644 --- a/.github/workflows/linters.yml +++ b/.github/workflows/linters.yml @@ -6,6 +6,9 @@ on: push: branches: [ main ] +permissions: + contents: read + jobs: commit-lint: name: 'Semantic Commits' @@ -32,7 +35,7 @@ jobs: if: github.event_name == 'pull_request' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v6 @@ -58,4 +61,4 @@ jobs: run: pip install semgrep - name: Run Semgrep rules - run: semgrep ci --config ./frappe-semgrep-rules/rules \ No newline at end of file + run: semgrep ci --config ./frappe-semgrep-rules/rules diff --git a/.github/workflows/make_release_pr.yml b/.github/workflows/make_release_pr.yml index 9a4528b913..47f065d8b8 100644 --- a/.github/workflows/make_release_pr.yml +++ b/.github/workflows/make_release_pr.yml @@ -4,6 +4,10 @@ on: - cron: '30 3 * * 3' workflow_dispatch: +permissions: + contents: read + pull-requests: write + jobs: release: name: Release @@ -23,4 +27,4 @@ jobs: base: main head: main-hotfix env: - GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} \ No newline at end of file + GITHUB_TOKEN: ${{ github.token }} diff --git a/.github/workflows/on_release.yml b/.github/workflows/on_release.yml index 623fd9f88a..6f69fe3320 100644 --- a/.github/workflows/on_release.yml +++ b/.github/workflows/on_release.yml @@ -4,6 +4,12 @@ on: push: branches: - main + +permissions: + contents: write + issues: write + pull-requests: write + jobs: release: name: Release @@ -23,10 +29,10 @@ jobs: npm install @semantic-release/git @semantic-release/exec --no-save - name: Create Release env: - GH_TOKEN: ${{ secrets.RELEASE_TOKEN }} - GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} + GH_TOKEN: ${{ github.token }} + GITHUB_TOKEN: ${{ github.token }} GIT_AUTHOR_NAME: "Frappe PR Bot" GIT_AUTHOR_EMAIL: "developers@frappe.io" GIT_COMMITTER_NAME: "Frappe PR Bot" GIT_COMMITTER_EMAIL: "developers@frappe.io" - run: npx semantic-release \ No newline at end of file + run: npx semantic-release diff --git a/.github/workflows/release_notes.yml b/.github/workflows/release_notes.yml index 52698116be..1bd6fdd165 100644 --- a/.github/workflows/release_notes.yml +++ b/.github/workflows/release_notes.yml @@ -17,7 +17,7 @@ on: types: [released] permissions: - contents: read + contents: write jobs: regen-notes: @@ -35,5 +35,5 @@ jobs: RELEASE_ID=$(gh api -H "Accept: application/vnd.github+json" /repos/frappe/lms/releases/tags/$RELEASE_TAG | jq -r '.id') gh api --method PATCH -H "Accept: application/vnd.github+json" /repos/frappe/lms/releases/$RELEASE_ID -f body="$NEW_NOTES" env: - GH_TOKEN: ${{ secrets.RELEASE_TOKEN }} - RELEASE_TAG: ${{ github.event.inputs.tag_name || github.event.release.tag_name }} \ No newline at end of file + GH_TOKEN: ${{ github.token }} + RELEASE_TAG: ${{ github.event.inputs.tag_name || github.event.release.tag_name }} diff --git a/.github/workflows/semantic.yml b/.github/workflows/semantic.yml index 3978a91fa2..af46d8c4b2 100644 --- a/.github/workflows/semantic.yml +++ b/.github/workflows/semantic.yml @@ -5,6 +5,9 @@ on: branches: [ main ] pull_request: {} +permissions: + contents: read + jobs: # This workflow contains a single job called "build" semantic: @@ -14,6 +17,6 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - uses: zeke/semantic-pull-requests@main diff --git a/.github/workflows/ui-tests.yml b/.github/workflows/ui-tests.yml index 7269fccdd8..f7be07734a 100644 --- a/.github/workflows/ui-tests.yml +++ b/.github/workflows/ui-tests.yml @@ -10,7 +10,6 @@ on: - main-hotfix permissions: - # Do not change this as GITHUB_TOKEN is being used by roulette contents: read jobs: @@ -35,7 +34,7 @@ jobs: steps: - name: Clone - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Python uses: actions/setup-python@v6 @@ -104,22 +103,29 @@ jobs: bench --site lms.test set-password frappe@example.com admin bench --site lms.test execute lms.lms.utils.persona_captured - - name: cypress pre-requisites - run: | - cd ~/frappe-bench/apps/lms - yarn add cypress@^10 --no-lockfile -W - - name: UI Tests run: cd ~/frappe-bench/ && bench --site lms.test run-ui-tests lms --headless env: CYPRESS_BASE_URL: http://lms.test:8000 - CYPRESS_RECORD_KEY: 095366ec-7b9f-41bd-aeec-03bb76d627fe + CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }} - name: Stop server and wait for coverage file + if: ${{ always() }} run: | ps -ef | grep "[f]rappe serve" | awk '{print $2}' | xargs kill -s SIGINT sleep 5 + - name: Upload UI artifacts + if: ${{ always() }} + uses: actions/upload-artifact@v4 + with: + name: ui-test-artifacts + if-no-files-found: ignore + path: | + ~/frappe-bench/bench_start.log + ~/frappe-bench/apps/lms/cypress/screenshots + ~/frappe-bench/apps/lms/cypress/videos + - name: Show bench output if: ${{ always() }} - run: cat ~/frappe-bench/bench_start.log || true \ No newline at end of file + run: cat ~/frappe-bench/bench_start.log || true diff --git a/memory-bank/activeContext.md b/memory-bank/activeContext.md index 5b5632bb0e..287ab1eae3 100644 --- a/memory-bank/activeContext.md +++ b/memory-bank/activeContext.md @@ -4,6 +4,7 @@ - 2026-03-18: Complete a comprehensive repo analysis and refresh the project memory bank to match the current codebase. - 2026-03-18: Establish a reliable baseline for future feature work by documenting architecture, stack, constraints, and risks. - 2026-03-20: Refresh the learner-facing drag and drop activity so the answer bank feels more colorful, interactive, and mobile-friendly. +- 2026-03-20: Simplify GitHub Actions token usage by preferring the built-in `github.token` for repo-local automation and GHCR publishing. ## Recent Changes - 2026-03-18: Reviewed repository docs, packaging files, hooks, auth layer, SPA router, frontend bootstrap, and test/CI surface. @@ -11,10 +12,12 @@ - 2026-03-18: Preserved the existing `memory-bank/` directory and treated this task as a refresh rather than creating empty starter files. - 2026-03-20: Updated `frontend/src/components/DragDrop.vue` to use a tinted answer bank container, palette-based answer buttons, and clearer selected/drag/drop target states without changing submission payloads. - 2026-03-20: Confirmed this app runs inside the parent Docker Compose project at `/Users/purwaren/Projects/frappe/frappe-learning/docker-compose.yml` and frontend verification should target the `frappe` container path `/home/frappe/frappe-bench/apps/lms`. +- 2026-03-20: Updated GitHub workflows to prefer `github.token` over a custom release token for repo-local release, note regeneration, PR automation, translation PRs, and GHCR publishing; also standardized several checkout actions and improved UI test artifact capture. ## Next Actions - Continue frontend verification from the parent compose project using `docker compose exec frappe ...` instead of host-shell builds. - Investigate why `yarn build` in the `frappe` container remains inside the Vite build phase for several minutes without completing. +- Watch the next GitHub Actions runs to confirm built-in token permissions are sufficient for release notes, weekly release PR creation, semantic release, and POT-file PR automation. - Use the memory bank as the starting context for the next implementation or review task in this repo. - Expand system notes when future work touches under-documented areas like payments, search indexing, or SCORM delivery. @@ -23,3 +26,4 @@ - Deeper product or operational history still depends on external issues, PRs, and deployment context not stored in this repo. - Host-shell frontend validation is misleading in this workspace because the app is meant to run inside Docker. - Container-side frontend validation currently hangs in `vite build` when run as `docker compose exec frappe bash -lc 'cd /home/frappe/frappe-bench/apps/lms/frontend && yarn build'`. +- Built-in GitHub token behavior still needs live workflow confirmation for jobs that mutate releases or open PRs, even though the YAML permissions now match those intents. diff --git a/memory-bank/progress.md b/memory-bank/progress.md index 9995d75653..6bc9fb55db 100644 --- a/memory-bank/progress.md +++ b/memory-bank/progress.md @@ -8,14 +8,17 @@ - 2026-03-18: Initialized the memory bank in the required six-file layout with repo-specific content. - 2026-03-20: Refreshed the learner-facing drag and drop answer bank with a colorful container, palette-based answer buttons, and clearer visual states for select, drag, and drop interactions in `frontend/src/components/DragDrop.vue`. - 2026-03-20: Verified the active local runtime is the parent Docker Compose project, with frontend commands expected to run through `docker compose exec frappe ...` against `/home/frappe/frappe-bench/apps/lms`. +- 2026-03-20: Updated GitHub Actions workflows to use the built-in `github.token` for GHCR publishing and repo-local automation, added explicit permissions to more workflows, removed the hardcoded Cypress record key, removed the CI-time Cypress install step, and uploaded UI artifacts on every run. ## In Progress - Frontend verification for the drag and drop refresh is still in progress because the containerized `yarn build` does not complete after entering the Vite transform/build phase. +- Workflow cleanup still needs live GitHub run verification to confirm every release-related job works with built-in token permissions. ## Todo - Keep the memory bank current as future feature work, fixes, and design decisions land. - Add deeper historical notes when specific subsystems are modified or reviewed in detail. - Diagnose why `docker compose exec frappe bash -lc 'cd /home/frappe/frappe-bench/apps/lms/frontend && yarn build'` hangs during `vite build`. +- Review whether the remaining PR semantic action should also be pinned or replaced with a more stable dependency reference. ## Risks - The API and DocType surface area is large, so changes can have non-obvious cross-feature effects. @@ -23,3 +26,4 @@ - Existing memory bank content can go stale quickly unless updated after each substantial task. - Host-only frontend tooling can mislead verification because the canonical runtime in this workspace is the Dockerized `frappe` container. - Long-running or stuck container builds can leave background `vite build` processes behind if verification attempts are not cleaned up. +- Some release jobs may still reveal hidden permission gaps once they run against GitHub, especially where branch pushes, PR creation, or release mutation depend on repository settings beyond workflow YAML. From fe43dc0bb9284bdee0b65c8d92c58e67d1f4e4f1 Mon Sep 17 00:00:00 2001 From: purwaren Date: Fri, 20 Mar 2026 16:13:03 +0700 Subject: [PATCH 2/2] Remove duplicate commitlint workflow --- .github/workflows/linters.yml | 19 ------------------- memory-bank/activeContext.md | 2 ++ memory-bank/progress.md | 2 ++ 3 files changed, 4 insertions(+), 19 deletions(-) diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml index 31cb37fcef..4cddcb0033 100644 --- a/.github/workflows/linters.yml +++ b/.github/workflows/linters.yml @@ -10,25 +10,6 @@ permissions: contents: read jobs: - commit-lint: - name: 'Semantic Commits' - runs-on: ubuntu-latest - if: github.event_name == 'pull_request' - - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 200 - - uses: actions/setup-node@v6 - with: - node-version: 24 - check-latest: true - - - name: Check commit titles - run: | - npm install @commitlint/cli @commitlint/config-conventional - npx commitlint --verbose --from ${{ github.event.pull_request.base.sha }} --to ${{ github.event.pull_request.head.sha }} - linters: name: Semgrep Rules runs-on: ubuntu-latest diff --git a/memory-bank/activeContext.md b/memory-bank/activeContext.md index 287ab1eae3..3de7213a56 100644 --- a/memory-bank/activeContext.md +++ b/memory-bank/activeContext.md @@ -13,11 +13,13 @@ - 2026-03-20: Updated `frontend/src/components/DragDrop.vue` to use a tinted answer bank container, palette-based answer buttons, and clearer selected/drag/drop target states without changing submission payloads. - 2026-03-20: Confirmed this app runs inside the parent Docker Compose project at `/Users/purwaren/Projects/frappe/frappe-learning/docker-compose.yml` and frontend verification should target the `frappe` container path `/home/frappe/frappe-bench/apps/lms`. - 2026-03-20: Updated GitHub workflows to prefer `github.token` over a custom release token for repo-local release, note regeneration, PR automation, translation PRs, and GHCR publishing; also standardized several checkout actions and improved UI test artifact capture. +- 2026-03-20: Removed the duplicate `Semantic Commits` job from `.github/workflows/linters.yml` after confirming workflow failures were caused by commitlint, not the separate PR-title validation workflow. Repo rule is now to enforce semantic PR titles, not every commit message. ## Next Actions - Continue frontend verification from the parent compose project using `docker compose exec frappe ...` instead of host-shell builds. - Investigate why `yarn build` in the `frappe` container remains inside the Vite build phase for several minutes without completing. - Watch the next GitHub Actions runs to confirm built-in token permissions are sufficient for release notes, weekly release PR creation, semantic release, and POT-file PR automation. +- Watch the next PR run to confirm `Validate PR title` remains the only semantic gate and that the removed commitlint check no longer blocks non-conventional commit messages. - Use the memory bank as the starting context for the next implementation or review task in this repo. - Expand system notes when future work touches under-documented areas like payments, search indexing, or SCORM delivery. diff --git a/memory-bank/progress.md b/memory-bank/progress.md index 6bc9fb55db..c86d922da1 100644 --- a/memory-bank/progress.md +++ b/memory-bank/progress.md @@ -9,10 +9,12 @@ - 2026-03-20: Refreshed the learner-facing drag and drop answer bank with a colorful container, palette-based answer buttons, and clearer visual states for select, drag, and drop interactions in `frontend/src/components/DragDrop.vue`. - 2026-03-20: Verified the active local runtime is the parent Docker Compose project, with frontend commands expected to run through `docker compose exec frappe ...` against `/home/frappe/frappe-bench/apps/lms`. - 2026-03-20: Updated GitHub Actions workflows to use the built-in `github.token` for GHCR publishing and repo-local automation, added explicit permissions to more workflows, removed the hardcoded Cypress record key, removed the CI-time Cypress install step, and uploaded UI artifacts on every run. +- 2026-03-20: Removed duplicate commitlint enforcement from `.github/workflows/linters.yml` so semantic PR titles remain the single semantic convention gate. ## In Progress - Frontend verification for the drag and drop refresh is still in progress because the containerized `yarn build` does not complete after entering the Vite transform/build phase. - Workflow cleanup still needs live GitHub run verification to confirm every release-related job works with built-in token permissions. +- Workflow cleanup still needs live PR verification to confirm the semantic gate now comes only from PR title validation. ## Todo - Keep the memory bank current as future feature work, fixes, and design decisions land.