mirror of
https://github.com/neondatabase/neon.git
synced 2025-12-22 21:59:59 +00:00
88ea855cff
This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @areyou1or0. ## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @areyou1or0. Please merge the Pull Request to incorporate the requested changes. Please tag @areyou1or0 on your message if you have any questions related to the PR. ## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @areyou1or0. Please merge the Pull Request to incorporate the requested changes. Please tag @areyou1or0 on your message if you have any questions related to the PR. ## Security Fixes ### Least Privileged GitHub Actions Token Permissions The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) ### Pinned Dependencies GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ### Harden Runner [Harden-Runner](https://github.com/step-security/harden-runner) is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without `sudo` access. See how popular open-source projects use Harden-Runner [here](https://docs.stepsecurity.io/whos-using-harden-runner). <details> <summary>Harden runner usage</summary> You can find link to view insights and policy recommendation in the build log <img src="https://github.com/step-security/harden-runner/blob/main/images/buildlog1.png?raw=true" width="60%" height="60%"> Please refer to [documentation](https://docs.stepsecurity.io/harden-runner) to find more details. </details> will fix https://github.com/neondatabase/cloud/issues/26141
177 lines
7.1 KiB
YAML
177 lines
7.1 KiB
YAML
name: Handle `approved-for-ci-run` label
|
|
# This workflow helps to run CI pipeline for PRs made by external contributors (from forks).
|
|
|
|
on:
|
|
pull_request_target:
|
|
branches:
|
|
- main
|
|
types:
|
|
# Default types that triggers a workflow ([1]):
|
|
# - [1] https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request
|
|
- opened
|
|
- synchronize
|
|
- reopened
|
|
# Types that we wand to handle in addition to keep labels tidy:
|
|
- closed
|
|
# Actual magic happens here:
|
|
- labeled
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
|
|
cancel-in-progress: false
|
|
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
PR_NUMBER: ${{ github.event.pull_request.number }}
|
|
BRANCH: "ci-run/pr-${{ github.event.pull_request.number }}"
|
|
|
|
# No permission for GITHUB_TOKEN by default; the **minimal required** set of permissions should be granted in each job.
|
|
permissions: {}
|
|
|
|
defaults:
|
|
run:
|
|
shell: bash -euo pipefail {0}
|
|
|
|
jobs:
|
|
remove-label:
|
|
# Remove `approved-for-ci-run` label if the workflow is triggered by changes in a PR.
|
|
# The PR should be reviewed and labelled manually again.
|
|
|
|
permissions:
|
|
pull-requests: write # For `gh pr edit`
|
|
|
|
if: |
|
|
contains(fromJSON('["opened", "synchronize", "reopened", "closed"]'), github.event.action) &&
|
|
contains(github.event.pull_request.labels.*.name, 'approved-for-ci-run')
|
|
|
|
runs-on: ubuntu-22.04
|
|
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- run: gh pr --repo "${GITHUB_REPOSITORY}" edit "${PR_NUMBER}" --remove-label "approved-for-ci-run"
|
|
|
|
create-or-update-pr-for-ci-run:
|
|
# Create local PR for an `approved-for-ci-run` labelled PR to run CI pipeline in it.
|
|
|
|
permissions:
|
|
pull-requests: write # for `gh pr edit`
|
|
# For `git push` and `gh pr create` we use CI_ACCESS_TOKEN
|
|
|
|
if: |
|
|
github.event.action == 'labeled' &&
|
|
contains(github.event.pull_request.labels.*.name, 'approved-for-ci-run')
|
|
|
|
runs-on: ubuntu-22.04
|
|
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- run: gh pr --repo "${GITHUB_REPOSITORY}" edit "${PR_NUMBER}" --remove-label "approved-for-ci-run"
|
|
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
ref: ${{ github.event.pull_request.head.sha }}
|
|
token: ${{ secrets.CI_ACCESS_TOKEN }}
|
|
|
|
- name: Look for existing PR
|
|
id: get-pr
|
|
env:
|
|
GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }}
|
|
run: |
|
|
ALREADY_CREATED="$(gh pr --repo ${GITHUB_REPOSITORY} list --head ${BRANCH} --base main --json number --jq '.[].number')"
|
|
echo "ALREADY_CREATED=${ALREADY_CREATED}" >> ${GITHUB_OUTPUT}
|
|
|
|
- name: Get changed labels
|
|
id: get-labels
|
|
if: steps.get-pr.outputs.ALREADY_CREATED != ''
|
|
env:
|
|
ALREADY_CREATED: ${{ steps.get-pr.outputs.ALREADY_CREATED }}
|
|
GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }}
|
|
run: |
|
|
LABELS_TO_REMOVE=$(comm -23 <(gh pr --repo ${GITHUB_REPOSITORY} view ${ALREADY_CREATED} --json labels --jq '.labels.[].name'| ( grep -E '^run' || true ) | sort) \
|
|
<(gh pr --repo ${GITHUB_REPOSITORY} view ${PR_NUMBER} --json labels --jq '.labels.[].name' | ( grep -E '^run' || true ) | sort ) |\
|
|
( grep -v run-e2e-tests-in-draft || true ) | paste -sd , -)
|
|
LABELS_TO_ADD=$(comm -13 <(gh pr --repo ${GITHUB_REPOSITORY} view ${ALREADY_CREATED} --json labels --jq '.labels.[].name'| ( grep -E '^run' || true ) |sort) \
|
|
<(gh pr --repo ${GITHUB_REPOSITORY} view ${PR_NUMBER} --json labels --jq '.labels.[].name' | ( grep -E '^run' || true ) | sort ) |\
|
|
paste -sd , -)
|
|
echo "LABELS_TO_ADD=${LABELS_TO_ADD}" >> ${GITHUB_OUTPUT}
|
|
echo "LABELS_TO_REMOVE=${LABELS_TO_REMOVE}" >> ${GITHUB_OUTPUT}
|
|
|
|
- run: git checkout -b "${BRANCH}"
|
|
|
|
- run: git push --force origin "${BRANCH}"
|
|
if: steps.get-pr.outputs.ALREADY_CREATED == ''
|
|
|
|
- name: Create a Pull Request for CI run (if required)
|
|
if: steps.get-pr.outputs.ALREADY_CREATED == ''
|
|
env:
|
|
GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }}
|
|
run: |
|
|
cat << EOF > body.md
|
|
This Pull Request is created automatically to run the CI pipeline for #${PR_NUMBER}
|
|
|
|
Please do not alter or merge/close it.
|
|
|
|
Feel free to review/comment/discuss the original PR #${PR_NUMBER}.
|
|
EOF
|
|
|
|
LABELS=$( (gh pr --repo "${GITHUB_REPOSITORY}" view ${PR_NUMBER} --json labels --jq '.labels.[].name'; echo run-e2e-tests-in-draft )| \
|
|
grep -E '^run' | paste -sd , -)
|
|
gh pr --repo "${GITHUB_REPOSITORY}" create --title "CI run for PR #${PR_NUMBER}" \
|
|
--body-file "body.md" \
|
|
--head "${BRANCH}" \
|
|
--base "main" \
|
|
--label ${LABELS} \
|
|
--draft
|
|
- name: Modify the existing pull request (if required)
|
|
if: steps.get-pr.outputs.ALREADY_CREATED != ''
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
LABELS_TO_ADD: ${{ steps.get-labels.outputs.LABELS_TO_ADD }}
|
|
LABELS_TO_REMOVE: ${{ steps.get-labels.outputs.LABELS_TO_REMOVE }}
|
|
ALREADY_CREATED: ${{ steps.get-pr.outputs.ALREADY_CREATED }}
|
|
run: |
|
|
ADD_CMD=
|
|
REMOVE_CMD=
|
|
[ -z "${LABELS_TO_ADD}" ] || ADD_CMD="--add-label ${LABELS_TO_ADD}"
|
|
[ -z "${LABELS_TO_REMOVE}" ] || REMOVE_CMD="--remove-label ${LABELS_TO_REMOVE}"
|
|
if [ -n "${ADD_CMD}" ] || [ -n "${REMOVE_CMD}" ]; then
|
|
gh pr --repo "${GITHUB_REPOSITORY}" edit ${ALREADY_CREATED} ${ADD_CMD} ${REMOVE_CMD}
|
|
fi
|
|
|
|
- run: git push --force origin "${BRANCH}"
|
|
if: steps.get-pr.outputs.ALREADY_CREATED != ''
|
|
|
|
cleanup:
|
|
# Close PRs and delete branchs if the original PR is closed.
|
|
|
|
permissions:
|
|
contents: write # for `--delete-branch` flag in `gh pr close`
|
|
pull-requests: write # for `gh pr close`
|
|
|
|
if: |
|
|
github.event.action == 'closed' &&
|
|
github.event.pull_request.head.repo.full_name != github.repository
|
|
|
|
runs-on: ubuntu-22.04
|
|
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Close PR and delete `ci-run/pr-${{ env.PR_NUMBER }}` branch
|
|
run: |
|
|
CLOSED="$(gh pr --repo ${GITHUB_REPOSITORY} list --head ${BRANCH} --json 'closed' --jq '.[].closed')"
|
|
if [ "${CLOSED}" == "false" ]; then
|
|
gh pr --repo "${GITHUB_REPOSITORY}" close "${BRANCH}" --delete-branch
|
|
fi
|