doctrine: wire CI and fix existing violations#110
Conversation
absoludity
force-pushed
the
doctrine-test-5
branch
2 times, most recently
from
85c8056 to
250b725
Compare
absoludity
force-pushed
the
doctrine-test-4
branch
from
0d402f5 to
8aa5bc0
Compare
absoludity
force-pushed
the
doctrine-test-5
branch
from
e320ccb to
2b35739
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Doctrine | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: "3.12" | ||
| - name: Install dependencies | ||
| run: pip install -r requirements-dev.txt | ||
| - name: Doctrine tests | ||
| run: PYTHONPATH=src pytest src/julee/core/doctrine/ |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix this, explicitly restrict the GITHUB_TOKEN permissions in the workflow. The jobs only check out code and run Python tooling, so they only need read access to repository contents. The cleanest fix without changing behavior is to add a single permissions block at the workflow root (top level, alongside name and on). This will apply to all jobs (lint, unit, doctrine) unless overridden locally.
Concretely:
- Edit
.github/workflows/python.yml. - Insert:
permissions:
contents: readbetween the name: Python and the on: block (e.g., after line 1 or 2).
No imports or other definitions are required, and no steps or jobs need adjustment. This both documents and enforces least-privilege read-only access for the workflow.
| @@ -1,5 +1,8 @@ | ||
| name: Python | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| paths: |
2 participants
Follows #109 (which was part of a series adding the initial doctrine tests).
The doctrine tests have no CI coverage until this PR — they exist but nothing runs them automatically. This adds a dedicated job so violations are caught before merge.
Four use cases in the existing codebase pre-date the doctrine rules and were never updated to conform. Without fixing them the CI job would fail immediately on first run, defeating the purpose of adding it.
The initial doctrine tests only check for the existence of Request/Response classes and an execute() method — they don't verify that execute() actually uses them. This meant a Response class could be present but never returned, and the tests would still pass. Two new tests enforce the full contract: execute() must declare the matching Request as its parameter and the matching Response as its return type.
With the signature checks in place, the scanner's blind spot became visible: the
contribdirectory was listed in RESERVED_WORDS (correctly — no package should be named contrib), but the scanner used that list to skip directories entirely rather than just to exclude them from being bounded contexts themselves. This meant contrib/polling was never scanned, so PollDataUseCase was invisible to the doctrine tests. The fix lets reserved-word directories still be treated as nested solution containers.