Skip to content

ci(GHA): Collect feature flag code references using flagsmith/ci #6590

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
emyller wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

ci(GHA): Collect feature flag code references using flagsmith/ci #6590

emyller wants to merge 4 commits into from
+17 −153

Conversation

@emyller
Copy link
Contributor

@emyller emyller commented Jan 23, 2026
edited
Loading

Our Code References feature is going GA! Starting with the GitHub integration.

Contributes to #5704.

TODO:

@emyller emyller self-assigned this Jan 23, 2026
@vercel
Copy link

vercel bot commented Jan 23, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

3 Skipped Deployments
Project Deployment Review Updated (UTC)
docs Ignored Ignored Preview Jan 27, 2026 11:07pm
flagsmith-frontend-preview Ignored Ignored Preview Jan 27, 2026 11:07pm
flagsmith-frontend-staging Ignored Ignored Preview Jan 27, 2026 11:07pm

Request Review

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 23, 2026
View reviewed changes
@github-actions github-actions bot added the ci-cd Build, test and deployment related label Jan 23, 2026
@emyller emyller force-pushed the ci/use-flagsmith-ci branch from 1f89bdf to 6c4c103 Compare January 23, 2026 22:55
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 23, 2026
View reviewed changes
@github-actions github-actions bot added ci-cd Build, test and deployment related and removed ci-cd Build, test and deployment related labels Jan 23, 2026
@codecov
Copy link

codecov bot commented Jan 23, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.18%. Comparing base (a3f255d) to head (ad95118).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #6590   +/-   ##
=======================================
  Coverage   98.18%   98.18%           
=======================================
  Files        1295     1295           
  Lines       46920    46920           
=======================================
  Hits        46067    46067           
  Misses        853      853

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions github-actions bot added ci-cd Build, test and deployment related and removed ci-cd Build, test and deployment related labels Jan 23, 2026
@emyller emyller force-pushed the ci/use-flagsmith-ci branch from 1ebf6e0 to 629c325 Compare January 26, 2026 21:37
@github-actions github-actions bot added ci-cd Build, test and deployment related and removed ci-cd Build, test and deployment related labels Jan 26, 2026
@emyller emyller force-pushed the ci/use-flagsmith-ci branch from 629c325 to dc70900 Compare January 26, 2026 21:39
@github-actions github-actions bot added ci-cd Build, test and deployment related and removed ci-cd Build, test and deployment related labels Jan 26, 2026
@emyller emyller force-pushed the ci/use-flagsmith-ci branch from dc70900 to 4280409 Compare January 27, 2026 14:58
@github-actions github-actions bot added ci-cd Build, test and deployment related and removed ci-cd Build, test and deployment related labels Jan 27, 2026
@emyller emyller force-pushed the ci/use-flagsmith-ci branch from 270009f to 2cbe52c Compare January 27, 2026 21:16
@github-actions github-actions bot added ci-cd Build, test and deployment related and removed ci-cd Build, test and deployment related labels Jan 27, 2026
@emyller emyller force-pushed the ci/use-flagsmith-ci branch from 2cbe52c to 05895a1 Compare January 27, 2026 21:19
@github-actions github-actions bot added ci-cd Build, test and deployment related and removed ci-cd Build, test and deployment related labels Jan 27, 2026
@emyller emyller force-pushed the ci/use-flagsmith-ci branch from 05895a1 to aebbcd0 Compare January 27, 2026 22:15
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 27, 2026
View reviewed changes
.github/workflows/platform-collect-code-references.yml
Comment on lines 11 to 18
name: Collect
uses: Flagsmith/ci/.github/workflows/collect-code-references.yml@feat/github-code-references-reusable-workflow
with:
flagsmith_project_id: 12
flagsmith_admin_api_url: https://api.flagsmith.com
exclude_patterns: node_modules,venv,.git,cache,build,htmlcov,docs,.json,tests
secrets:
flagsmith_admin_api_key: ${{ secrets.FLAGSMITH_CODE_REFERENCES_API_KEY }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 3 days ago

In general, the fix is to explicitly declare a permissions block that restricts the GITHUB_TOKEN to the minimal scopes required. This can be done at the workflow root (applies to all jobs) or at the job level (for a specific job). Since this workflow only defines a single job, either is acceptable; using a workflow-level permissions is concise and clearly documents expectations for any future jobs added.

The safest change without altering existing behavior is to add a root-level permissions block just after the on: section, using read-only repository contents access as a baseline: contents: read. If the reusable workflow requires additional scopes (e.g., pull-requests: write), they can be added there, but we should not assume that from the snippet. Concretely, edit .github/workflows/platform-collect-code-references.yml to insert:

permissions:
  contents: read

between the on: block (lines 3–7) and the jobs: key (line 9). No imports or additional definitions are needed; this is purely a YAML configuration change.

Suggested changeset 1
.github/workflows/platform-collect-code-references.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/platform-collect-code-references.yml b/.github/workflows/platform-collect-code-references.yml
--- a/.github/workflows/platform-collect-code-references.yml
+++ b/.github/workflows/platform-collect-code-references.yml
@@ -6,6 +6,9 @@
   workflow_dispatch:
   pull_request:  # DROPME
 
+permissions:
+  contents: read
+
 jobs:
   collect-code-references:
     name: Collect
EOF
@@ -6,6 +6,9 @@
workflow_dispatch:
pull_request: # DROPME

permissions:
contents: read

jobs:
collect-code-references:
name: Collect
Copilot is powered by AI and may make mistakes. Always verify output.
@github-actions github-actions bot added ci-cd Build, test and deployment related and removed ci-cd Build, test and deployment related labels Jan 27, 2026
@emyller emyller force-pushed the ci/use-flagsmith-ci branch from aebbcd0 to 43db6aa Compare January 27, 2026 23:07
@github-actions github-actions bot added ci-cd Build, test and deployment related and removed ci-cd Build, test and deployment related labels Jan 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@emyller emyller

Labels

ci-cd Build, test and deployment related

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@emyller