Create ngrok.yaml

[bio-boris]

Don't use, in favor of printing out what you need using AI

[Copilot]

Pull request overview

Adds a new GitHub Actions workflow intended to enable remote debugging, and updates the existing PR build workflow by disabling Trivy scanning.

Changes:

• Commented out the trivy-scans job in the PR build workflow.
• Added a new workflow (ngrok.yaml) that starts an interactive upterm session on runner execution.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.

File	Description
.github/workflows/pr_build.yml	Disables (comments out) the Trivy scan job for PR builds.
.github/workflows/ngrok.yaml	Introduces a push-triggered workflow that checks out code and starts an upterm session, exporting several secrets into the environment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Trivy scanning job has been fully commented out, which removes vulnerability scanning from PR builds. If this is intended to be temporary, consider gating it behind an explicit opt-out input/label or fixing the underlying failure so the scans still run for eligible PRs.

Suggested change

	# trivy-scans:
	# if: (github.base_ref == 'develop' || github.base_ref == 'main' || github.base_ref == 'master' ) && github.event.pull_request.merged == false
	# uses: kbase/.github/.github/workflows/reusable_trivy-scans.yml@main
	# secrets: inherit
	trivy-scans:
	if: (github.base_ref == 'develop' || github.base_ref == 'main' || github.base_ref == 'master') && github.event.pull_request.merged == false && !contains(join(github.event.pull_request.labels.*.name, ','), 'skip-trivy-scan')
	uses: kbase/.github/.github/workflows/reusable_trivy-scans.yml@main
	secrets: inherit

[Copilot]

The steps: list is not indented correctly. The - uses: actions/checkout@v2 item (and following steps) must be nested under steps: (e.g., additional indentation) or the workflow YAML will be invalid and fail to load.

Suggested change

	- uses: actions/checkout@v2
	- name: Setup upterm session
	uses: lhotari/action-upterm@v1
	env:
	KBASE_CI_TOKEN: ${{ secrets.KBASE_CI_TOKEN }}
	KBASE_CI_TOKEN2: ${{ secrets.KBASE_CI_TOKEN2 }}
	KBASE_TEST_TOKEN: ${{ secrets.KBASE_TEST_TOKEN }}
	KBASE_TEST_TOKEN2: ${{ secrets.KBASE_TEST_TOKEN2 }}
	KBASE_BOT_TOKEN_CI: ${{ secrets.KBASE_BOT_TOKEN_CI }}
	KBASE_BOT_USER_CI: ${{ secrets.KBASE_BOT_USER_CI }}
	GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
	- uses: actions/checkout@v2
	- name: Setup upterm session
	uses: lhotari/action-upterm@v1
	env:
	KBASE_CI_TOKEN: ${{ secrets.KBASE_CI_TOKEN }}
	KBASE_CI_TOKEN2: ${{ secrets.KBASE_CI_TOKEN2 }}
	KBASE_TEST_TOKEN: ${{ secrets.KBASE_TEST_TOKEN }}
	KBASE_TEST_TOKEN2: ${{ secrets.KBASE_TEST_TOKEN2 }}
	KBASE_BOT_TOKEN_CI: ${{ secrets.KBASE_BOT_TOKEN_CI }}
	KBASE_BOT_USER_CI: ${{ secrets.KBASE_BOT_USER_CI }}
	GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}

[Copilot]

This workflow is triggered on every push, but it sets up an interactive upterm session. That effectively creates a remote shell on every push and can be used to exfiltrate data; it should be restricted (e.g., workflow_dispatch only, and ideally limited to specific branches/actors).

Suggested change

	on: [push]
	on:
	workflow_dispatch:

[Copilot]

Multiple long-lived secrets are exported into the environment of an interactive session. This materially increases the risk of secret exposure; avoid injecting these secrets into the upterm session (or switch to short-lived credentials / only provide the minimum required secret(s)).

Suggested change

GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}

[Copilot]

actions/checkout@v2 is outdated and has known issues compared to newer major versions. Update to the current supported actions/checkout@v4 unless there is a compatibility constraint.

Suggested change

	- uses: actions/checkout@v2
	- uses: actions/checkout@v4

[Copilot]

File/workflow naming is confusing: the workflow file is ngrok.yaml, but it configures an upterm session and the workflow name is the generic CI. Consider renaming the workflow/file (or adjusting the content) so it reflects its purpose and doesn't look like the primary CI pipeline.

Suggested change

	name: CI
	name: Upterm debug session (ngrok)

In general, this problem is fixed by explicitly declaring a permissions block either at the workflow root (applies to all jobs) or per-job, and setting it to the minimal access needed. For this specific workflow, the job only uses a custom secret and calls the GitHub API; it does not perform any write operations. The safest and simplest fix is to add a root-level permissions block setting contents: read, which is the minimal common baseline and satisfies the CodeQL requirement while preserving behavior.

Concretely, in .github/workflows/ngrok.yaml, add a permissions: section after the on: declaration so it applies to all jobs. No additional imports or methods are needed because this is a YAML configuration change only. The rest of the workflow (the inspect job, environment variables, and steps) remains unchanged.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (develop@6873c95). Learn more about missing BASE report.

Additional details and impacted files

@@            Coverage Diff             @@
##             develop     #137   +/-   ##
==========================================
  Coverage           ?   81.02%           
==========================================
  Files              ?        8           
  Lines              ?     2846           
  Branches           ?        0           
==========================================
  Hits               ?     2306           
  Misses             ?      540           
  Partials           ?        0           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.