Inherit from gov-codejson with tests #102
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout repo | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 20 | ||
| cache: 'npm' | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Run tests | ||
| run: npm run test |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
To fix the problem, add an explicit permissions block that limits the GITHUB_TOKEN to only what this workflow needs. This job only checks out code and runs tests, so it only needs read access to repository contents.
The best targeted fix is to add a permissions section to the test job, directly under runs-on: ubuntu-latest. This keeps the scope local to this job and does not affect any other workflows or jobs. The block should set contents: read, which is the minimal permission required for actions/checkout and read-only operations.
Concretely, in .github/workflows/test.yml, between lines 11 and 13, insert:
permissions:
contents: readNo imports or other definitions are required, as this is standard GitHub Actions YAML configuration.
| @@ -9,6 +9,8 @@ | ||
| jobs: | ||
| test: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: Checkout repo |
natalialuzuriaga
left a comment
natalialuzuriaga
left a comment
There was a problem hiding this comment.
Starting off the new year strong with this PR 🙌 Took a look and it all LGTM! This is such a tremendous addition that really eliminates the burden of keeping the zod validation in sync with the upstream schema. Also really appreciate the unit tests and the thorough coverage. Amazing job with this first PR of the year 🥳
One outstanding question I had is when and how often is generate-schema.ts run? Is this run manually by you or is this already run every time the program is built/bundled into a package?
The only issue is I am getting an error running npx ts-node src/scripts/generate-schema.ts: TypeError: Unknown file extension ".ts". I ran npm install and then specifically npm install ts-node. After looking into it, it may have to do with the configurations in the tsconfig files? Happy to pair with you if you are unable to reproduce the error
| const response = await fetch(schemaURL); | ||
| const jsonSchema = (await response.json()) as JsonSchema; | ||
|
|
||
| let zodSourceCode = jsonSchemaToZod(jsonSchema); |
There was a problem hiding this comment.
Love it, it really is that easy 🙌
| it("accepts valid complete code.json", () => { | ||
| const result = CodeJSONSchema.safeParse(validCodeJSON); | ||
| // ============================================================================= | ||
| // USAGE TYPE ENUM |
There was a problem hiding this comment.
Nice, this covers all the cases for usageType + exemptionText 🙌
Problem
The Zod validation schema was manually maintained, requiring us to keep it in sync with the gov-codejson schema. This created drift between our logic and the upstream, and added ongoing maintenance burden whenever the schema changed.
Solution
Replaced the manual schema with an auto-generated one
Result
Schema validation now stays in sync with the gov-codejson, eliminating drift between codebase and upstream changes. This reduces the maintenance burden when schema updates occur since regenerating the types is now a single command
How to Test
Run the schema generator
npx ts-node src/scripts/generate-schema.tsRun the unit tests
npm test