feat: warn if baml exec point does not match PATH #2918
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub. 1 Skipped Deployment
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "wasm-pack test" | ||
| runs-on: ubuntu-latest | ||
| if: ${{ inputs.code_changed == 'true' || inputs.run_all }} | ||
| timeout-minutes: 15 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| persist-credentials: false | ||
|
|
||
| - uses: Swatinem/rust-cache@v2 | ||
| with: | ||
| workspaces: "baml_language -> target" | ||
|
|
||
| - name: "Install Rust toolchain" | ||
| run: | | ||
| rustup show | ||
| rustup target add wasm32-unknown-unknown | ||
| working-directory: baml_language | ||
|
|
||
| - name: "Install wasm-pack" | ||
| uses: taiki-e/install-action@v2 | ||
| with: | ||
| tool: wasm-pack | ||
|
|
||
| - name: "Run wasm-pack tests (baml_playground_wasm)" | ||
| run: wasm-pack test --node crates/baml_playground_wasm | ||
| working-directory: baml_language |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
In general, to fix this kind of issue you add a permissions block either at the top level of the workflow (to apply to all jobs) or within the specific job. The block should grant only the minimal scopes required (often contents: read for simple CI/test workflows).
For this workflow, the single best fix is to add a workflow-level permissions block granting only contents: read. This will apply to the wasm-pack-test job and any future jobs that do not override it, and it should not change existing behavior because the steps only read the repository and run tests. Concretely, in .github/workflows/wasm-pack-tests.reusable.yaml, insert:
permissions:
contents: readnear the top, after the on: section (or after concurrency: if you prefer), while keeping indentation consistent with other top-level keys. No additional imports or definitions are needed; it is purely a YAML configuration change.
| @@ -10,6 +10,9 @@ | ||
| required: true | ||
| type: boolean | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }}-wasm-pack-tests | ||
| cancel-in-progress: true |
| with: | ||
| persist-credentials: false | ||
|
|
||
| - uses: Swatinem/rust-cache@v2 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| working-directory: baml_language | ||
|
|
||
| - name: "Install wasm-pack" | ||
| uses: taiki-e/install-action@v2 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| name: "Unit Tests (jsdom)" | ||
| runs-on: ubuntu-latest | ||
| if: ${{ inputs.code_changed == 'true' || inputs.run_all }} | ||
| timeout-minutes: 10 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| persist-credentials: false | ||
|
|
||
| - name: "Setup pnpm" | ||
| uses: pnpm/action-setup@v4 | ||
| with: | ||
| version: 9 | ||
|
|
||
| - name: "Setup Node.js" | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: "20" | ||
| cache: "pnpm" | ||
| cache-dependency-path: typescript2/pnpm-lock.yaml | ||
|
|
||
| - name: "Install dependencies" | ||
| run: pnpm install --frozen-lockfile | ||
| working-directory: typescript2 | ||
|
|
||
| - uses: Swatinem/rust-cache@v2 | ||
| with: | ||
| workspaces: "baml_language -> target" | ||
|
|
||
| - name: "Install Rust toolchain" | ||
| run: | | ||
| rustup show | ||
| rustup target add wasm32-unknown-unknown | ||
| working-directory: baml_language | ||
|
|
||
| - name: "Install wasm-pack" | ||
| uses: taiki-e/install-action@v2 | ||
| with: | ||
| tool: wasm-pack | ||
|
|
||
| - name: "Build WASM" | ||
| run: pnpm --filter pkg-playground build:wasm | ||
| working-directory: typescript2 | ||
|
|
||
| - name: "Run unit tests" | ||
| run: pnpm --filter app-vscode-webview test:unit:run | ||
| working-directory: typescript2 | ||
|
|
||
| browser-tests: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
To fix the problem, explicitly restrict the GITHUB_TOKEN permissions used by this workflow. The safest approach is to add a permissions block at the workflow root so it applies to all jobs unless overridden. Based on the current steps, the jobs only need to read the repository contents (for actions/checkout), and do not need any write scopes or other resource permissions.
Concretely:
- Edit
.github/workflows/webview-tests.reusable.yaml. - Add a root-level
permissions:block after theon:section (beforeconcurrency:), settingcontents: read. - No other permissions or changes to steps are required, since there is no evidence of needing write access or other scopes.
This keeps existing functionality intact while ensuring least-privilege for the GITHUB_TOKEN in both unit-tests and browser-tests jobs.
| @@ -10,6 +10,9 @@ | ||
| required: true | ||
| type: boolean | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }}-webview-tests | ||
| cancel-in-progress: true |
| persist-credentials: false | ||
|
|
||
| - name: "Setup pnpm" | ||
| uses: pnpm/action-setup@v4 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| working-directory: baml_language | ||
|
|
||
| - name: "Install wasm-pack" | ||
| uses: taiki-e/install-action@v2 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| name: "Browser Tests (Playwright)" | ||
| runs-on: ubuntu-latest | ||
| if: ${{ inputs.code_changed == 'true' || inputs.run_all }} | ||
| timeout-minutes: 15 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| persist-credentials: false | ||
|
|
||
| - name: "Setup pnpm" | ||
| uses: pnpm/action-setup@v4 | ||
| with: | ||
| version: 9 | ||
|
|
||
| - name: "Setup Node.js" | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: "20" | ||
| cache: "pnpm" | ||
| cache-dependency-path: typescript2/pnpm-lock.yaml | ||
|
|
||
| - name: "Install dependencies" | ||
| run: pnpm install --frozen-lockfile | ||
| working-directory: typescript2 | ||
|
|
||
| - uses: Swatinem/rust-cache@v2 | ||
| with: | ||
| workspaces: "baml_language -> target" | ||
|
|
||
| - name: "Install Rust toolchain" | ||
| run: | | ||
| rustup show | ||
| rustup target add wasm32-unknown-unknown | ||
| working-directory: baml_language | ||
|
|
||
| - name: "Install wasm-pack" | ||
| uses: taiki-e/install-action@v2 | ||
| with: | ||
| tool: wasm-pack | ||
|
|
||
| - name: "Build WASM" | ||
| run: pnpm --filter pkg-playground build:wasm | ||
| working-directory: typescript2 | ||
|
|
||
| - name: "Install Playwright browsers" | ||
| run: npx playwright install chromium | ||
| working-directory: typescript2/app-vscode-webview | ||
|
|
||
| - name: "Run browser tests" | ||
| run: pnpm --filter app-vscode-webview test:browser:run | ||
| working-directory: typescript2 |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
In general, to fix this kind of issue you explicitly define a permissions block for the workflow or for individual jobs, restricting the GITHUB_TOKEN to the least privileges needed. For pure build/test workflows that only need to read the repository, contents: read is usually sufficient.
For this specific file, the simplest fix that does not change functionality is to add a root-level permissions block (so it applies to all jobs) with contents: read. No steps in unit-tests or browser-tests need write access to GitHub resources, so this should not break anything. The best place is right after the on: block and before concurrency: to keep the YAML well-organized. No imports or additional methods are needed; this is a pure YAML configuration change within .github/workflows/webview-tests.reusable.yaml.
| @@ -10,6 +10,9 @@ | ||
| required: true | ||
| type: boolean | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }}-webview-tests | ||
| cancel-in-progress: true |
| persist-credentials: false | ||
|
|
||
| - name: "Setup pnpm" | ||
| uses: pnpm/action-setup@v4 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| run: pnpm install --frozen-lockfile | ||
| working-directory: typescript2 | ||
|
|
||
| - uses: Swatinem/rust-cache@v2 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| working-directory: baml_language | ||
|
|
||
| - name: "Install wasm-pack" | ||
| uses: taiki-e/install-action@v2 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
CodSpeed Performance ReportMerging #2918 will not alter performanceComparing Summary
Footnotes
|
https://discord.com/channels/1119368998161752075/1456644449466581125
[2:46 PM]baml-sam: Aha! I have it!
[2:47 PM]baml-sam: If you're inside the venv, and you run baml-cli init before baml-py is installed, the shell will cache the path to the global baml-cli install
[2:49 PM]baml-sam: After you install baml-py, the shell will continue to use the cached global baml-cli
[2:50 PM]baml-sam: Shell path resolution caching does use PATH in the cache key, but the cache key doesn't respect filesystem state