a-masterov
c179d098ef
Increase the timeout for extensions upgrade tests (on schedule). ( #11406 )
...
## Problem
Sometimes the forced extension upgrade test fails (on schedule) due to a
timeout.
## Summary of changes
The timeout is increased to 60 mins.
2025-04-02 11:18:37 +00:00
StepSecurity Bot
88ea855cff
fix(ci): Fixing StepSecurity Flagged Issues ( #11311 )
...
This pull request is created by
[StepSecurity](https://app.stepsecurity.io/securerepo ) at the request of
@areyou1or0.
## Summary
This pull request is created by
[StepSecurity](https://app.stepsecurity.io/securerepo ) at the request of
@areyou1or0. Please merge the Pull Request to incorporate the requested
changes. Please tag @areyou1or0 on your message if you have any
questions related to the PR.
## Summary
This pull request is created by
[StepSecurity](https://app.stepsecurity.io/securerepo ) at the request of
@areyou1or0. Please merge the Pull Request to incorporate the requested
changes. Please tag @areyou1or0 on your message if you have any
questions related to the PR.
## Security Fixes
### Least Privileged GitHub Actions Token Permissions
The GITHUB_TOKEN is an automatically generated secret to make
authenticated calls to the GitHub API. GitHub recommends setting minimum
token permissions for the GITHUB_TOKEN.
- [GitHub Security
Guide](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow )
- [The Open Source Security Foundation (OpenSSF) Security
Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions )
### Pinned Dependencies
GitHub Action tags and Docker tags are mutable. This poses a security
risk. GitHub's Security Hardening guide recommends pinning actions to
full length commit.
- [GitHub Security
Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions )
- [The Open Source Security Foundation (OpenSSF) Security
Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies )
### Harden Runner
[Harden-Runner](https://github.com/step-security/harden-runner ) is an
open-source security agent for the GitHub-hosted runner to prevent
software supply chain attacks. It prevents exfiltration of credentials,
detects tampering of source code during build, and enables running jobs
without `sudo` access. See how popular open-source projects use
Harden-Runner
[here](https://docs.stepsecurity.io/whos-using-harden-runner ).
<details>
<summary>Harden runner usage</summary>
You can find link to view insights and policy recommendation in the
build log
<img
src="https://github.com/step-security/harden-runner/blob/main/images/buildlog1.png?raw=true "
width="60%" height="60%">
Please refer to
[documentation](https://docs.stepsecurity.io/harden-runner ) to find more
details.
</details>
will fix https://github.com/neondatabase/cloud/issues/26141
2025-03-19 16:44:22 +00:00
a-masterov
df0767176a
Change the tags names according to the curent state ( #11059 )
...
## Problem
We have not synced `force-test-extensions-upgrade.yml` with the last
changes.
The variable `TEST_EXTENSIONS_UPGRADE` was ignored in the script and
actually set to `NEW_COMPUTE_TAG` while it should be set to
`OLD_COMPUTE_TAG` as we are about to run compatibility tests.
## Summary of changes
The tag names were synced, the logic was fixed.
2025-03-03 09:40:49 +00:00
a-masterov
646e011c4d
Tests the test-upgrade scripts themselves ( #10664 )
...
## Problem
We run the compatibility tests only if we are upgrading the extension.
An accidental code change may break the test itself, so we have to check
this code as well.
## Summary of changes
The test is scheduled once a day to save time and resources.
---------
Co-authored-by: Alexander Bayandin <alexander@neon.tech >
2025-02-14 11:41:57 +00:00
