Replace #105, with non fork #111
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
RossBugginsNHS
force-pushed
the
rossbugginsnhs/2025-11-17/post-schema-merge-changes-001
branch
2 times, most recently
from
b43a8e3 to
dd1312d
Compare
RossBugginsNHS
force-pushed
the
rossbugginsnhs/2025-11-17/post-schema-merge-changes-001
branch
from
dd1312d to
f7c72eb
Compare
- Add test_schema_handling.py to cover previously uncovered error paths - Test bundled schema copy errors and data schema handling - Test schema parsing errors and missing file scenarios - Test relationship update edge cases with missing files - Test import_all edge cases (missing dir, combined files, errors) - Test event content generation with various schema combinations - Coverage improved from 87% to 96% on import_asyncapi.py - Addresses SonarCloud coverage failure on new code in PR #111
- Replace [ with [[ for safer conditional tests (7 HIGH RELIABILITY issues) - Redirect error messages to stderr with >&2 (5 MEDIUM MAINTAINABILITY issues) - Add explicit return statements to all functions (7 MEDIUM MAINTAINABILITY issues) All changes follow SonarCloud shell script best practices for improved reliability and maintainability.
The Python coverage.xml files were being generated but not downloaded in the static analysis step. This adds a step to download the python-coverage-reports artifact so SonarCloud can see the coverage for eventcatalogasyncapiimporter, asyncapigenerator, and other Python projects.
When using a glob pattern like 'src/**/coverage.xml', upload-artifact strips the leading directory structure. This causes the coverage files to be uploaded without the 'src/' prefix, so when SonarCloud looks for 'src/eventcatalogasyncapiimporter/coverage.xml', the file isn't there. Fixed by explicitly listing each coverage.xml file path to preserve the full directory structure.
Comment on lines
+40
to
+112
| name: "Publish Docs" | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 10 | ||
|
|
||
| timeout-minutes: 15 | ||
| steps: | ||
| - name: "Checkout code" | ||
| uses: actions/checkout@v5 | ||
|
|
||
| - name: "Get artifacts: jekyll docs" | ||
| uses: actions/download-artifact@v5 | ||
| - name: "Publish docs" | ||
| uses: ./.github/actions/publish-docs | ||
| with: | ||
| path: ./artifacts/jekyll-docs-${{ inputs.version }} | ||
| name: jekyll-docs-${{ inputs.version }} | ||
| version: "${{ inputs.version }}" | ||
| is_version_prerelease: "${{ inputs.is_version_prerelease }}" | ||
|
|
||
| - name: "Get artifacts: schema" | ||
| uses: actions/download-artifact@v5 | ||
| with: | ||
| path: ./artifacts/schemas-${{ inputs.version }} | ||
| name: schemas-${{ inputs.version }} | ||
| # publish: | ||
| # name: "Publish packages" | ||
| # runs-on: ubuntu-latest | ||
| # timeout-minutes: 10 | ||
|
|
||
| # steps: | ||
| # - name: "Checkout code" | ||
| # uses: actions/checkout@v5 | ||
|
|
||
| # - name: "Get artifacts: jekyll docs" | ||
| # uses: actions/download-artifact@v5 | ||
| # with: | ||
| # path: ./artifacts/jekyll-docs-${{ inputs.version }} | ||
| # name: jekyll-docs-${{ inputs.version }} | ||
|
|
||
| # - name: "Get artifacts: schema" | ||
| # uses: actions/download-artifact@v5 | ||
| # with: | ||
| # path: ./artifacts/schemas-${{ inputs.version }} | ||
| # name: schemas-${{ inputs.version }} | ||
|
|
||
|
|
||
| - name: Draft Release | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| GH_REPO: ${{ github.repository }} | ||
| run: | | ||
| gh release create \ | ||
| "${{ inputs.version }}" \ | ||
| --draft \ | ||
| --latest \ | ||
| --title "${{ inputs.version }}" \ | ||
| --notes "Release of ${{ inputs.version }}" \ | ||
| ${{ inputs.is_version_prerelease == 'true' && '--prerelease' || '' }} | ||
| # - name: Draft Release | ||
| # env: | ||
| # GH_TOKEN: ${{ github.token }} | ||
| # GH_REPO: ${{ github.repository }} | ||
| # run: | | ||
| # gh release create \ | ||
| # "${{ inputs.version }}" \ | ||
| # --draft \ | ||
| # --latest \ | ||
| # --title "${{ inputs.version }}" \ | ||
| # --notes "Release of ${{ inputs.version }}" \ | ||
| # ${{ inputs.is_version_prerelease == 'true' && '--prerelease' || '' }} | ||
|
|
||
| - name: "Upload jeykll docs release asset" | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| GH_REPO: ${{ github.repository }} | ||
| run: | | ||
| cp ./artifacts/jekyll-docs-${{ inputs.version }}/artifact.tar $RUNNER_TEMP/jekyll-docs-${{ inputs.version }}.tar | ||
| gh release upload \ | ||
| "${{ inputs.version }}" \ | ||
| $RUNNER_TEMP/jekyll-docs-${{ inputs.version }}.tar#jekyll-docs-${{ inputs.version }} | ||
| # - name: "Upload jeykll docs release asset" | ||
| # env: | ||
| # GH_TOKEN: ${{ github.token }} | ||
| # GH_REPO: ${{ github.repository }} | ||
| # run: | | ||
| # cp ./artifacts/jekyll-docs-${{ inputs.version }}/artifact.tar $RUNNER_TEMP/jekyll-docs-${{ inputs.version }}.tar | ||
| # gh release upload \ | ||
| # "${{ inputs.version }}" \ | ||
| # $RUNNER_TEMP/jekyll-docs-${{ inputs.version }}.tar#jekyll-docs-${{ inputs.version }} | ||
|
|
||
| - name: "Upload schema release asset" | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| GH_REPO: ${{ github.repository }} | ||
| run: | | ||
| cp ./artifacts/schemas-${{ inputs.version }}/artifact.tar $RUNNER_TEMP/schemas-${{ inputs.version }}.tar | ||
| gh release upload \ | ||
| "${{ inputs.version }}" \ | ||
| $RUNNER_TEMP/schemas-${{ inputs.version }}.tar#schemas-${{ inputs.version }} | ||
| # - name: "Upload schema release asset" | ||
| # env: | ||
| # GH_TOKEN: ${{ github.token }} | ||
| # GH_REPO: ${{ github.repository }} | ||
| # run: | | ||
| # cp ./artifacts/schemas-${{ inputs.version }}/artifact.tar $RUNNER_TEMP/schemas-${{ inputs.version }}.tar | ||
| # gh release upload \ | ||
| # "${{ inputs.version }}" \ | ||
| # $RUNNER_TEMP/schemas-${{ inputs.version }}.tar#schemas-${{ inputs.version }} | ||
|
|
||
|
|
||
| - name: Publish Release | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| GH_REPO: ${{ github.repository }} | ||
| run: gh release edit "${{ inputs.version }}" --draft=false | ||
| # - name: Publish Release | ||
| # env: | ||
| # GH_TOKEN: ${{ github.token }} | ||
| # GH_REPO: ${{ github.repository }} | ||
| # run: gh release edit "${{ inputs.version }}" --draft=false |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix this problem, an explicit permissions block should be added to the workflow, scoped appropriately to the job (or to the root of the workflow if every job has the same needs). Since the publish-docs job just checks out code and runs a documentation publishing action, it is likely that it only needs contents: read permission for the GITHUB_TOKEN. Therefore, add a permissions block with contents: read under the publish-docs job (line 39–40). This change is enough to ensure that the GITHUB_TOKEN exposed to that job is appropriately constrained. No imports or method definitions are needed.
Suggested changeset
1
.github/workflows/stage-5-publish.yaml
| @@ -38,6 +38,8 @@ | ||
| jobs: | ||
| publish-docs: | ||
| name: "Publish Docs" | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 15 | ||
| steps: |
Copilot is powered by AI and may make mistakes. Always verify output.
…curity hotspots - Move all GitHub Actions inputs to environment variables to prevent command injection (S7630) - Add non-root user to Docker test image (S6471) - Pin peter-evans/create-pull-request to full commit SHA (S7637) Fixed 27 BLOCKER vulnerabilities and 2 security hotspots identified by SonarCloud. All inputs from GitHub Actions are now passed via env variables and properly quoted in shell commands to prevent potential command injection attacks.
- Add checkout step before downloading artifacts in test-report job This fixes 'fatal: not a git repository' error from dorny/test-reporter - Pin dorny/test-reporter to v1.9.1 commit SHA for security The test-reporter action requires git to create check runs properly.
RossBugginsNHS
added a commit
to RossBugginsNHS/nhs-notify-digital-letters
that referenced
this pull request
Nov 21, 2025
- Add test_schema_handling.py to cover previously uncovered error paths - Test bundled schema copy errors and data schema handling - Test schema parsing errors and missing file scenarios - Test relationship update edge cases with missing files - Test import_all edge cases (missing dir, combined files, errors) - Test event content generation with various schema combinations - Coverage improved from 87% to 96% on import_asyncapi.py - Addresses SonarCloud coverage failure on new code in PR NHSDigital#111
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This is 301 lines of addition, the rest are package locks getting reordered.
Context
Type of changes
Checklist
Sensitive Information Declaration
To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.