Knip CI - II

[0x4007]

1. Please move knip.ts into .github/workflows
2. Fix the auth permissions issue ideally by adjusting the CI settings or at most by setting up a basic github app with minimal permissions to write a comment to pull requests

Related ubiquity/audit.ubq.fi#2 (comment)

[gentlementlegen]

/start

[ubiquibot]

Deadline	Wed, Mar 6, 6:24 AM UTC
Registered Wallet	0x0fC1b909ba9265A846b82CF4CE352fc3e7EeB2ED

Tips:

• Use /wallet 0x0000...0000 if you want to update your registered payment wallet address.
• Be sure to open a draft pull request as soon as possible to communicate updates on your progress.
• Be sure to provide timely updates to us when requested, or you will be automatically unassigned from the task.

[gentlementlegen]

More context about what is going on:
On pull-request events, GitHub actually sets the GITHUB_TOKEN to read-only, to avoid external workflows to run and either break the repo, or steal private tokens etc, as a security measure. Problem is, some of our workflows require write access to work properly. I tried changing the event to pull_request_target, difference being that the Action runs inside the base repository context and not the source one. In such case GitHub does populate the token properly. I don't think I can test it without merging it first and see if the issue is solved.

More reading here:

https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

[0x4007]

Please feel free to make a dedicated GitHub app with the name ubiquibot-knip

Copy the continuous deploys bot style naming

You can make it with minimal permissions to achieve its objective. It's pretty easy to do.

Or maybe we can recycle the bot for pull request checks and rename it something more general

[ubiquibot]

+ Evaluating results. Please wait...

[ubiquibot]

[ 26 WXDAI ]

@pavlovcik

Contributions Overview

View	Contribution	Count	Reward
Issue	Specification	1	13
Issue	Comment	1	12
Review	Comment	1	1

Conversation Incentives

Comment	Formatting	Relevance	Reward
1. Please move knip.ts into `.github/workflows` 2. Fix the aut...	13 li: count: 2 score: "2" words: 40 code: count: 1 score: "1" words: 2	1	13
Please feel free to make a dedicated GitHub app with the name `u...	12 code: count: 1 score: "1" words: 2	0.83	12
You can rebase and test. ...	1	0.52	1

[ 118.5 WXDAI ]

@FernandVEYRIER

Contributions Overview

View	Contribution	Count	Reward
Issue	Task	1	100
Issue	Comment	1	0
Issue	Comment	1	13.3
Review	Comment	1	2.6
Review	Comment	1	2.6

Conversation Incentives

Comment	Formatting	Relevance	Reward
More context about what is going on: On pull-request events, Gi...	-	0.85	-
More context about what is going on: On pull-request events, Gi...	13.3	0.85	13.3
I don't think I can test it before it's merged, since it has to ...	2.6	0.31	2.6
I don't think I can test it before it's merged, since it has to ...	2.6	0.31	2.6

[gentlementlegen]

@pavlovcik Let's keep an eye on this one for the next pull request opening in the repository.
https://github.com/ubiquity/ts-template/actions/workflows/knip.yml

[0x4007]

I re-ran the failed run and it didn't work. https://github.com/ubiquity/ts-template/actions/runs/8167718696/job/22329209142

[gentlementlegen]

And I've seen that you triggered it manually but this cannot be tested that way. The reason being that the instigator is:

Secret source: Actions

So it gives full permission to the Github token.
And the reason why it failed:

Error: 🧨 Failed: knip-reporter currently only supports 'pull_request' events, current event: workflow_dispatch
Error: 📚 Stack: Error: knip-reporter currently only supports 'pull_request' events, current event: workflow_dispatch
    at run3 (file:///home/runner/work/_actions/Codex-/knip-reporter/v2/dist/index.mjs:28078:13)
    at file:///home/runner/work/_actions/Codex-/knip-reporter/v2/dist/index.mjs:28125:8
    at file:///home/runner/work/_actions/Codex-/knip-reporter/v2/dist/index.mjs:28125:15
    at ModuleJob.run (node:internal/modules/esm/module_job:[21](https://github.com/ubiquity/ts-template/actions/runs/8167960687/job/22329201585#step:5:22)7:25)
    at async ModuleLoader.import (node:internal/modules/esm/loader:316:[24](https://github.com/ubiquity/ts-template/actions/runs/8167960687/job/22329201585#step:5:25))
    at async loadESM (node:internal/process/esm_loader:34:7)
    at async handleMainPromise (node:internal/modules/run_main:66:12)
Error: Error: knip-reporter currently only supports 'pull_request' events, current event: workflow_dispatch

[0x4007]

Check the other one. I did two runs concurrently. One was a new run, one was a re-run.

[gentlementlegen]

@pavlovcik The Action cannot be triggered even on a rerun, because the context is different.
Testing pull request succeeds:
#27
(the reason of the failure is because Knip actually found some issues in the code)