[CLIENT-4350] Add runtime flag /RTC1 to raise an error when uninitialized read occurs#990
Conversation
…reter. This build will use /RTC1 to check for uninitialized reads.
…reter. This build will use /RTC1 to check for uninitialized reads.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ["self-hosted", "Windows", "X64"] | ||
| steps: | ||
| - name: Harden the runner (Audit all outbound calls) | ||
| uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 | ||
| with: | ||
| egress-policy: audit | ||
|
|
||
| - name: Get tests and Github action scripts | ||
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | ||
| with: | ||
| ref: ${{ inputs.use_jfrog_builds && inputs.jfrog-build-version-to-test || github.sha }} | ||
|
|
||
| - run: Invoke-WebRequest -UseBasicParsing -Uri "https://raw.githubusercontent.com/pyenv-win/pyenv-win/master/pyenv-win/install-pyenv-win.ps1" -OutFile "./install-pyenv-win.ps1"; &"./install-pyenv-win.ps1" | ||
|
|
||
| - run: | | ||
| pyenv --version | ||
| pyenv install --debug 3.10 | ||
|
|
||
| - uses: ./.github/actions/run-ee-server | ||
| with: | ||
| registry-name: ${{ inputs.registry-name }} | ||
| registry-username: ${{ env.REGISTRY_USERNAME }} | ||
| registry-password: ${{ env.REGISTRY_PASSWORD }} | ||
| image-name: ${{ inputs.image-name }} | ||
| server-tag: ${{ inputs.server-tag }} | ||
| where-is-client-connecting-from: 'remote-connection' | ||
|
|
||
| - name: Install wheel | ||
| run: | | ||
| python3-dbg -m pip install build -c requirements.txt | ||
| python3-dbg -m pip -m build | ||
| python3-dbg -m pip install dist/*.whl | ||
|
|
||
| - name: Install test dependencies | ||
| run: python3-dbg -m pip install pytest -c requirements.txt | ||
| working-directory: test | ||
|
|
||
| - name: Run tests | ||
| run: python3-dbg -m pytest new_tests/ | ||
| working-directory: test |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
In general, the fix is to explicitly declare permissions: either at the root of the workflow (applies to all jobs without their own block) or under the specific job, setting it to the minimum needed scopes. For a typical build-and-test workflow that only needs to read source code and, possibly, read packages, contents: read (and optionally packages: read) is sufficient.
For this specific workflow, we should add a root-level permissions: block with least-privilege settings. All shown steps only require reading repository contents. They do not push commits, create releases, modify issues or PRs, or interact with environments that require token writes. Therefore, the safest minimal explicit configuration is:
permissions:
contents: readPlace this immediately under the on: block (after line 3 or 4), aligned to the same indentation level as on: and jobs:. This ensures all jobs—including windows-python-dbg—inherit these read-only permissions for GITHUB_TOKEN. No imports or additional code structures are needed since this is a YAML workflow configuration change only, and it preserves existing functionality while enforcing least privilege.
| @@ -3,6 +3,9 @@ | ||
| workflow_dispatch: | ||
| pull_request: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| windows-python-dbg: | ||
| runs-on: ["self-hosted", "Windows", "X64"] |
| working-directory: test | ||
|
|
||
| windows-dbg: | ||
| uses: .github/workflows/build-and-run-dev-tests-with-windows-python-dbg.yml |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
In general, the problem is fixed by adding an explicit permissions: block to the workflow or to the specific job so that the GITHUB_TOKEN is limited to the minimum required scope, typically contents: read (and other read scopes if needed). This documents the workflow’s expectations and prevents accidental elevation if repository or organization defaults change.
For this specific workflow, the smallest, least intrusive fix is to add a permissions: block at the root level of .github/workflows/stage-tests.yml, right after the on: definition. That block will apply to all jobs that do not override permissions, including windows-dbg. Since the shown jobs only check out code, run tests, pull Docker images, and use reusable workflows, they only need read access to repository contents; write permissions are not required. Therefore, we can safely set permissions: contents: read globally. No imports or additional methods are needed because this is a YAML configuration change only.
Concretely, in .github/workflows/stage-tests.yml, add:
permissions:
contents: readimmediately after the on: block (after the workflow_call: configuration). This will satisfy CodeQL’s requirement and enforce least privilege for the GITHUB_TOKEN used by all jobs, including the windows-dbg job that reuses another workflow.
| @@ -41,6 +41,9 @@ | ||
| description: 'Test macOS x86 wheels (unstable)' | ||
|
|
||
| env: | ||
|
|
||
| permissions: | ||
| contents: read | ||
| REGISTRY_USERNAME: ${{ inputs.registry-name == 'docker.io' && secrets.DOCKER_HUB_BOT_USERNAME || secrets.QE_DOCKER_REGISTRY_USERNAME }} | ||
| REGISTRY_PASSWORD: ${{ inputs.registry-name == 'docker.io' && secrets.DOCKER_HUB_BOT_PW || secrets.QE_DOCKER_REGISTRY_PASSWORD }} | ||
|
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## dev #990 +/- ##
=======================================
Coverage 83.48% 83.48%
=======================================
Files 99 99
Lines 14402 14402
=======================================
Hits 12024 12024
Misses 2378 2378 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
juliannguyen4
changed the title
juliannguyen4
changed the title
…re returning, but Start-Process does
…andalone installer is deprecated
2 participants
No description provided.