Bitnami/containers
2
0
Fork 0
mirror of https://github.com/bitnami/containers.git synced 2026-03-27 07:17:59 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/containers] GitHub actions hardening (#52441)

Browse Source 
* GitHub actions hardening

Signed-off-by: Fran Mulero <fmulero@vmware.com>

* Allow manual triggering in scheduled jobs

Signed-off-by: Fran Mulero <fmulero@vmware.com>

* Use env var instead of using github expressions

Signed-off-by: Fran Mulero <fmulero@vmware.com>

---------

Signed-off-by: Fran Mulero <fmulero@vmware.com>
This commit is contained in:
Fran Mulero
2023-11-08 17:06:12 +01:00
committed by GitHub
parent 8c9c2a3ef8
commit 87370f26d6
14 changed files with 129 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.github/dependabot.yml vendored Normal file
View File

@@ -0,0 +1,10 @@
# Copyright VMware, Inc.
# SPDX-License-Identifier: APACHE-2.0
version: 2
# Check for updates to GitHub Actions every week
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"

7
.github/workflows/assign-asset-label.yml vendored
View File

@@ -1,3 +1,6 @@
# Copyright VMware, Inc.
# SPDX-License-Identifier: APACHE-2.0
name: '[Support] Assign asset label'
on:
pull_request_target:
@@ -34,7 +37,7 @@ jobs:
echo "name=${assets}" >> $GITHUB_OUTPUT
fi
- name: Show messages
uses: actions/github-script@v6
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
with:
script: |
if ("${{ steps.get-asset.outputs.result }}" != "ok" ) {
@@ -44,6 +47,6 @@ jobs:
}
- name: Labeling
if: ${{ steps.get-asset.outputs.result == 'ok' }}
uses: fmulero/labeler@1.1.0
uses: fmulero/labeler@d3ef0aadb212cd1656bd6d5ce1e772787bf1682b
with:
add-labels: "${{ steps.get-asset.outputs.name }}"

42
.github/workflows/ci-pipeline.yml vendored
View File

@@ -23,7 +23,7 @@ jobs:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
name: Checkout Repository
with:
ref: ${{ github.event.pull_request.head.ref }}
@@ -54,7 +54,7 @@ jobs:
echo "result=skip" >> $GITHUB_OUTPUT
fi
- name: Check license Headers
uses: apache/skywalking-eyes/header@v0.4.0
uses: apache/skywalking-eyes/header@6b2529214f6b1ccee3ec92bb0adfeabf6f66f538
if: ${{ steps.get-modified-files.outputs.result == 'success' }}
get-containers:
runs-on: ubuntu-latest
@@ -110,7 +110,7 @@ jobs:
matrix:
container: ${{ fromJSON(needs.get-containers.outputs.containers) }}
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
name: Checkout Repository
with:
# Full history is not required anymore
@@ -174,7 +174,7 @@ jobs:
steps:
- id: get-status
name: Check Status
uses: actions/github-script@v6
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
with:
result-encoding: string
script: |
@@ -224,12 +224,20 @@ jobs:
# Approve the CI's PR automatically, as it has been tested in our internal pipeline already
# Approved by the 'github-actions' user; a PR can't be approved by its author
- name: PR Approval
uses: hmarr/auto-approve-action@v3.0.0
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
with:
pull-request-number: ${{ github.event.number }}
result-encoding: string
retries: 3
script: |
github.rest.pulls.createReview({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number,
event: 'APPROVE',
});
- name: Merge
id: merge
uses: actions/github-script@v6
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
with:
result-encoding: string
retries: 3
@@ -246,10 +254,18 @@ jobs:
# post a comment on the PR and assign a maintainer agent to review it
- name: Manual review required
if: ${{ always() && steps.merge.outcome != 'success' }}
uses: peter-evans/create-or-update-comment@v3.0.0
with:
issue-number: ${{ github.event.number }}
# Necessary to trigger support workflows
token: ${{ secrets.BITNAMI_BOT_TOKEN }}
body: |
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
env:
BODY: |
There has been an error during the automated release process. Manual revision is now required.
Please check the related [action_run#${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for more information.
with:
retries: 3
script: |
const {BODY} = process.env
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `${BODY}`
})

6
.github/workflows/clossing-issues.yml vendored
View File

@@ -1,5 +1,9 @@
# Copyright VMware, Inc.
# SPDX-License-Identifier: APACHE-2.0
name: '[Support] Close Solved issues'
on:
workflow_dispatch:
schedule:
# Hourly
- cron: '0 * * * *'
@@ -9,7 +13,7 @@ jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v6.0.1
- uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84
with:
any-of-labels: 'solved'
stale-issue-label: 'solved'

13
.github/workflows/comments.yml vendored
View File

@@ -1,3 +1,6 @@
# Copyright VMware, Inc.
# SPDX-License-Identifier: APACHE-2.0
name: '[Support] Comments based card movements'
on:
issue_comment:
@@ -18,13 +21,13 @@ jobs:
pull-requests: read
steps:
- name: Repo checkout
uses: actions/checkout@v3
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- name: Load .env file
uses: xom9ikk/dotenv@v2
uses: xom9ikk/dotenv@de1ff27d319507880e6621e4d47424c677d95f68
with:
path: .github/workflows/
- name: Move into Pending
uses: peter-evans/create-or-update-project-card@v2
uses: peter-evans/create-or-update-project-card@dfa240db6fe287ceb681e45d6728c1af70452c58
if: |
(github.actor != 'bitnami-bot' || github.event.issue.user.login != 'bitnami-bot' || github.event.issue.pull_request == null) &&
contains(fromJson(env.BITNAMI_TEAM), github.actor) &&
@@ -33,7 +36,7 @@ jobs:
project-name: Support
column-name: Pending
- name: Move into In Progress
uses: peter-evans/create-or-update-project-card@v2
uses: peter-evans/create-or-update-project-card@dfa240db6fe287ceb681e45d6728c1af70452c58
if: |
(github.actor != 'bitnami-bot' || github.event.issue.user.login != 'bitnami-bot' || github.event.issue.pull_request == null) &&
(!contains(fromJson(env.BITNAMI_TEAM), github.actor)) &&
@@ -42,7 +45,7 @@ jobs:
project-name: Support
column-name: In progress
- name: Move into Triage
uses: peter-evans/create-or-update-project-card@v2
uses: peter-evans/create-or-update-project-card@dfa240db6fe287ceb681e45d6728c1af70452c58
if: |
(github.actor != 'bitnami-bot' || github.event.issue.user.login != 'bitnami-bot' || github.event.issue.pull_request == null) &&
(!contains(fromJson(env.BITNAMI_TEAM), github.actor)) &&

12
.github/workflows/delete-solved-cards.yml vendored
View File

@@ -1,3 +1,6 @@
# Copyright VMware, Inc.
# SPDX-License-Identifier: APACHE-2.0
name: '[Support] Delete Solved cards'
on:
workflow_dispatch:
@@ -14,18 +17,19 @@ jobs:
contents: read
steps:
- name: Repo checkout
uses: actions/checkout@v3
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
fetch-depth: 1
- name: Load .env file
uses: xom9ikk/dotenv@v2
uses: xom9ikk/dotenv@de1ff27d319507880e6621e4d47424c677d95f68
with:
path: .github/workflows/
- uses: actions/github-script@v6
- uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
with:
script: |
const {SOLVED_COLUMN_ID} = process.env
const {data: cards} = await github.rest.projects.listCards({
column_id: ${{ env.SOLVED_COLUMN_ID }},
column_id: `${SOLVED_COLUMN_ID}`,
archived_state: 'all',
per_page: 100
});

12
.github/workflows/markdown-linter.yml vendored
View File

@@ -1,3 +1,6 @@
# Copyright VMware, Inc.
# SPDX-License-Identifier: APACHE-2.0
name: '[CI/CD] Markdown linter'
on:
pull_request:
@@ -16,20 +19,21 @@ jobs:
- name: Install mardownlint
run: npm install -g markdownlint-cli@0.33.0
- name: Checkout project
uses: actions/checkout@v3
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- name: Execute markdownlint
env:
DIFF_URL: "${{github.event.pull_request.diff_url}}"
TEMP_FILE: "${{runner.temp}}/pr-${{github.event.number}}.diff"
TEMP_OUTPUT: "${{runner.temp}}/output"
run: |
# This request doesn't consume API calls.
curl -Lkso $TEMP_FILE $DIFF_URL
files_changed="$(sed -nr 's/[\-\+]{3} [ab]\/(.*)/\1/p' $TEMP_FILE | sort | uniq)"
md_files="$(echo "$files_changed" | grep -o ".*\.md$" | sort | uniq || true)"
# Create an empty file, useful when the PR changes ignored files
touch ${{runner.temp}}/output
touch "${TEMP_OUTPUT}"
exit_code=0
markdownlint -o ${{runner.temp}}/output ${md_files[@]} || exit_code=$?
markdownlint -o "${TEMP_OUTPUT}" ${md_files[@]} || exit_code=$?
while read -r line; do
# line format:
# file:row[:column] message
@@ -45,7 +49,7 @@ jobs:
else
echo "::warning:: Error processing: ${line}"
fi
done < ${{runner.temp}}/output
done < "${TEMP_OUTPUT}"
if [[ $exit_code -ne 0 ]]; then
echo "::error:: Please review linter messages"
exit "$exit_code"

5
.github/workflows/move-closed-issues.yml vendored
View File

@@ -1,3 +1,6 @@
# Copyright VMware, Inc.
# SPDX-License-Identifier: APACHE-2.0
name: '[Support] Move closed issues'
on:
issues:
@@ -17,7 +20,7 @@ jobs:
steps:
- name: Send to the Solved column
id: send-solved
uses: peter-evans/create-or-update-project-card@v2
uses: peter-evans/create-or-update-project-card@dfa240db6fe287ceb681e45d6728c1af70452c58
# Send to solve only the issues and PRs created by users or the automated PRs with human review required
if: |
(github.event.issue != null && github.event.issue.user.login != 'bitnami-bot') ||

29
.github/workflows/moving-cards.yml vendored
View File

@@ -1,3 +1,6 @@
# Copyright VMware, Inc.
# SPDX-License-Identifier: APACHE-2.0
# This workflow is built to manage the triage support by using GH issues.
name: '[Support] Cards movements'
on:
@@ -49,48 +52,48 @@ jobs:
- get-issue
steps:
- name: Repo checkout
uses: actions/checkout@v3
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
fetch-depth: 1
- name: Load .env file
uses: xom9ikk/dotenv@v2
uses: xom9ikk/dotenv@de1ff27d319507880e6621e4d47424c677d95f68
with:
path: .github/workflows/
# Now handling the needed labeling
- name: Triage labeling
# Only if moved into triage
if: ${{ github.event.project_card.column_id == env.TRIAGE_COLUMN_ID }}
uses: fmulero/labeler@1.1.0
uses: fmulero/labeler@f49bf680252fc8ac12cbebb6e0ed8ea19d0712da
with:
add-labels: triage
remove-labels: on-hold, in-progress, solved
- name: From Bitnami labeling
if: ${{ github.event.project_card.column_id == env.BITNAMI_COLUMN_ID }}
uses: fmulero/labeler@1.1.0
uses: fmulero/labeler@f49bf680252fc8ac12cbebb6e0ed8ea19d0712da
with:
add-labels: ${{ (needs.get-issue.outputs.author == 'bitnami-bot' && needs.get-issue.outputs.type == 'pull_request') && 'automated, auto-merge' || 'bitnami' }}
remove-labels: on-hold, in-progress, triage, solved
- name: Verify labeling
# Only if moved into bitnami column and the PR is ready for review
# Consecutive calls were fixed in fmulero/labeler@1.1.0, see https://github.com/fmulero/labeler/pull/2
# Consecutive calls were fixed in fmulero/labeler, see https://github.com/fmulero/labeler/pull/2
if: |
github.event.project_card.column_id == env.BITNAMI_COLUMN_ID &&
needs.get-issue.outputs.type == 'pull_request' && needs.get-issue.outputs.draft == 'false'
uses: fmulero/labeler@1.1.0
uses: fmulero/labeler@f49bf680252fc8ac12cbebb6e0ed8ea19d0712da
with:
repo-token: ${{ secrets.BITNAMI_BOT_TOKEN }}
add-labels: verify
- name: On hold labeling
# Only if moved into on hold
if: ${{ github.event.project_card.column_id == env.ON_HOLD_COLUMN_ID }}
uses: fmulero/labeler@1.1.0
uses: fmulero/labeler@f49bf680252fc8ac12cbebb6e0ed8ea19d0712da
with:
add-labels: on-hold
remove-labels: triage, in-progress, solved
- name: In progress labeling
# Only if moved into In progress
if: ${{ github.event.project_card.column_id == env.IN_PROGRESS_COLUMN_ID }}
uses: fmulero/labeler@1.1.0
uses: fmulero/labeler@f49bf680252fc8ac12cbebb6e0ed8ea19d0712da
with:
add-labels: in-progress
remove-labels: on-hold, triage, solved
@@ -99,7 +102,7 @@ jobs:
if: |
github.event.project_card.column_id == env.SOLVED_COLUMN_ID &&
(needs.get-issue.outputs.author != 'bitnami-bot')
uses: fmulero/labeler@1.1.0
uses: fmulero/labeler@f49bf680252fc8ac12cbebb6e0ed8ea19d0712da
with:
add-labels: solved
# Triage is not on the list to know how many issues/PRs are solved
@@ -114,18 +117,18 @@ jobs:
# The job shouldn't run for solved cards
steps:
- name: Repo checkout
uses: actions/checkout@v3
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
fetch-depth: 1
- name: Load .env file
uses: xom9ikk/dotenv@v2
uses: xom9ikk/dotenv@de1ff27d319507880e6621e4d47424c677d95f68
with:
path: .github/workflows/
- name: Assign to a person to work on it
# Assign when there is nobody assigned or the card is new.
if: |
github.event.project_card.column_id != env.SOLVED_COLUMN_ID && (needs.get-issue.outputs.assignees == '[]' || github.event.action == 'created')
uses: pozil/auto-assign-issue@v1.11.0
uses: pozil/auto-assign-issue@edee9537367a8fbc625d27f9e10aa8bad47b8723
with:
numOfAssignee: 1
teams: ${{ github.event.project_card.column_id == env.BITNAMI_COLUMN_ID && env.SUPPORT_TEAM_NAME || env.TRIAGE_TEAM_NAME }}
@@ -137,7 +140,7 @@ jobs:
github.event.action == 'moved' && needs.get-issue.outputs.assignees != '[]' &&
github.event.project_card.column_id == env.IN_PROGRESS_COLUMN_ID &&
github.event.changes.column_id.from == env.TRIAGE_COLUMN_ID
uses: pozil/auto-assign-issue@v1.11.0
uses: pozil/auto-assign-issue@edee9537367a8fbc625d27f9e10aa8bad47b8723
with:
numOfAssignee: 1
removePreviousAssignees: true

9
.github/workflows/pr-reviews.yml vendored
View File

@@ -1,3 +1,6 @@
# Copyright VMware, Inc.
# SPDX-License-Identifier: APACHE-2.0
name: '[Support] Review based card movements'
on:
pull_request_target:
@@ -24,15 +27,15 @@ jobs:
(!contains(github.event.pull_request.labels.*.name, 'bitnami')) && (!contains(github.event.pull_request.labels.*.name, 'triage'))
steps:
- name: Repo checkout
uses: actions/checkout@v3
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- name: Load .env file
uses: xom9ikk/dotenv@v2
uses: xom9ikk/dotenv@de1ff27d319507880e6621e4d47424c677d95f68
with:
path: .github/workflows/
- name: Move into In Progress
# Move the card only if the actor is not a Bitnami member
if: ${{ !contains(fromJson(env.BITNAMI_TEAM), github.actor) }}
uses: peter-evans/create-or-update-project-card@v2
uses: peter-evans/create-or-update-project-card@dfa240db6fe287ceb681e45d6728c1af70452c58
with:
project-name: Support
column-name: In progress

11
.github/workflows/srp-report.yml vendored
View File

@@ -1,3 +1,6 @@
# Copyright VMware, Inc.
# SPDX-License-Identifier: APACHE-2.0
name: '[SRP] Secure Release Pipeline Report'
on:
schedule:
@@ -24,7 +27,7 @@ jobs:
sudo tar xf /tmp/srp-cli.tgz -C /usr/local/bin/
srp config --srp-endpoint ${BAC_SRP_ENDPOINT}
srp config auth --client-id=${BAC_SRP_CLIENT_ID} --client-secret=${BAC_SRP_CLIENT_SECRET}
- uses: actions/checkout@v3
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
name: Checkout Repository
with:
# No full history required
@@ -40,11 +43,13 @@ jobs:
--version "1.0" --all-ephemeral true --build-type release
echo "uid=${SRP_UID}" >> $GITHUB_OUTPUT
- name: Archive SRP report
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
with:
name: source-provenance
path: source-provenance.json
- id: submit-report
name: Submit SRP report
env:
SRP_UID: "${{ steps.build-report.outputs.uid }}"
run: |
srp metadata submit --verbose --path ./source-provenance.json --uid "uid.mtd.provenance_2_5.fragment(obj_uid=${{ steps.build-report.outputs.uid }},revision='')"
srp metadata submit --verbose --path ./source-provenance.json --uid "uid.mtd.provenance_2_5.fragment(obj_uid=${SRP_UID},revision='')"

7
.github/workflows/stale.yml vendored
View File

@@ -1,3 +1,6 @@
# Copyright VMware, Inc.
# SPDX-License-Identifier: APACHE-2.0
name: '[Support] Close stale issues and PRs'
on:
workflow_dispatch:
@@ -14,7 +17,7 @@ jobs:
pull-requests: write
steps:
# This step will add the stale comment and label for the first 15 days without activity. It won't close any task
- uses: actions/stale@v6.0.1
- uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.'
@@ -25,7 +28,7 @@ jobs:
exempt-pr-labels: 'on-hold'
operations-per-run: 500
# This step will add the 'solved' label and the last comment before closing the issue or PR. Note that it won't close any issue or PR, they will be closed by the clossing-issues workflow
- uses: actions/stale@v6.0.1
- uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.'

12
.github/workflows/sync-teams.yml vendored
View File

@@ -1,5 +1,9 @@
# Copyright VMware, Inc.
# SPDX-License-Identifier: APACHE-2.0
name: '[Support] Synchronize team members in the .env file'
on:
workflow_dispatch:
schedule:
# Daily
- cron: '0 5 * * *'
@@ -10,19 +14,21 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Repo checkout
uses: actions/checkout@v3
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
token: ${{ secrets.BITNAMI_BOT_TOKEN }}
fetch-depth: 1
- name: Load .env file
uses: xom9ikk/dotenv@v2
uses: xom9ikk/dotenv@de1ff27d319507880e6621e4d47424c677d95f68
with:
path: .github/workflows/
- name: Updating members of the Bitnami team
env:
TOKEN: ${{ secrets.BITNAMI_BOT_TOKEN }}
run: |
TEAM_MEMBERS=$(curl --request GET \
--url https://api.github.com/orgs/bitnami/teams/developers/members?per_page=100 \
--header 'authorization: Bearer ${{ secrets.BITNAMI_BOT_TOKEN }}' \
--header "authorization: Bearer ${TOKEN}" \
--header 'content-type: application/json' \
| jq 'sort_by(.login)|map(.login)|join(",")')
TEAM_MEMBERS='['${TEAM_MEMBERS//','/'","'}']'

13
.github/workflows/triage.yml vendored
View File

@@ -1,3 +1,6 @@
# Copyright VMware, Inc.
# SPDX-License-Identifier: APACHE-2.0
# This workflow is built to manage the triage support by using GH issues.
name: '[Support] Organize triage'
on:
@@ -24,11 +27,11 @@ jobs:
contents: read
steps:
- name: Repo checkout
uses: actions/checkout@v3
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
fetch-depth: 1
- name: Load .env file
uses: xom9ikk/dotenv@v2
uses: xom9ikk/dotenv@de1ff27d319507880e6621e4d47424c677d95f68
with:
path: .github/workflows/
- name: Get author
@@ -42,7 +45,7 @@ jobs:
echo "type=${type}" >> $GITHUB_OUTPUT
- name: Send to the board
if: ${{steps.get-issue.outputs.author != 'bitnami-bot' || steps.get-issue.outputs.type != 'pull_request'}}
uses: peter-evans/create-or-update-project-card@v2
uses: peter-evans/create-or-update-project-card@dfa240db6fe287ceb681e45d6728c1af70452c58
with:
project-name: Support
# If the author comes from Bitnami, send it to Bitnami. Otherwise, all to Triage
@@ -59,11 +62,11 @@ jobs:
# a card for the automated PRs only when it is needed.
steps:
- name: From Bitnami labeling
uses: fmulero/labeler@1.1.0
uses: fmulero/labeler@f49bf680252fc8ac12cbebb6e0ed8ea19d0712da
with:
add-labels: 'automated, auto-merge'
- name: Verify labeling
uses: fmulero/labeler@1.1.0
uses: fmulero/labeler@f49bf680252fc8ac12cbebb6e0ed8ea19d0712da
with:
# Bitnami bot token is required to trigger CI workflows
repo-token: ${{ secrets.BITNAMI_BOT_TOKEN }}