mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-05 20:42:54 +00:00
88ea855cff
This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @areyou1or0. ## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @areyou1or0. Please merge the Pull Request to incorporate the requested changes. Please tag @areyou1or0 on your message if you have any questions related to the PR. ## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @areyou1or0. Please merge the Pull Request to incorporate the requested changes. Please tag @areyou1or0 on your message if you have any questions related to the PR. ## Security Fixes ### Least Privileged GitHub Actions Token Permissions The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) ### Pinned Dependencies GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ### Harden Runner [Harden-Runner](https://github.com/step-security/harden-runner) is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without `sudo` access. See how popular open-source projects use Harden-Runner [here](https://docs.stepsecurity.io/whos-using-harden-runner). <details> <summary>Harden runner usage</summary> You can find link to view insights and policy recommendation in the build log <img src="https://github.com/step-security/harden-runner/blob/main/images/buildlog1.png?raw=true" width="60%" height="60%"> Please refer to [documentation](https://docs.stepsecurity.io/harden-runner) to find more details. </details> will fix https://github.com/neondatabase/cloud/issues/26141
178 lines
6.5 KiB
YAML
178 lines
6.5 KiB
YAML
name: Pre-merge checks
|
|
|
|
on:
|
|
pull_request:
|
|
paths:
|
|
- .github/workflows/_check-codestyle-python.yml
|
|
- .github/workflows/_check-codestyle-rust.yml
|
|
- .github/workflows/build-build-tools-image.yml
|
|
- .github/workflows/pre-merge-checks.yml
|
|
merge_group:
|
|
|
|
defaults:
|
|
run:
|
|
shell: bash -euxo pipefail {0}
|
|
|
|
# No permission for GITHUB_TOKEN by default; the **minimal required** set of permissions should be granted in each job.
|
|
permissions: {}
|
|
|
|
jobs:
|
|
meta:
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
contents: read
|
|
outputs:
|
|
python-changed: ${{ steps.python-src.outputs.any_changed }}
|
|
rust-changed: ${{ steps.rust-src.outputs.any_changed }}
|
|
branch: ${{ steps.group-metadata.outputs.branch }}
|
|
pr-number: ${{ steps.group-metadata.outputs.pr-number }}
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
|
|
- uses: step-security/changed-files@3dbe17c78367e7d60f00d78ae6781a35be47b4a1 # v45.0.1
|
|
id: python-src
|
|
with:
|
|
files: |
|
|
.github/workflows/_check-codestyle-python.yml
|
|
.github/workflows/build-build-tools-image.yml
|
|
.github/workflows/pre-merge-checks.yml
|
|
**/**.py
|
|
poetry.lock
|
|
pyproject.toml
|
|
|
|
- uses: step-security/changed-files@3dbe17c78367e7d60f00d78ae6781a35be47b4a1 # v45.0.1
|
|
id: rust-src
|
|
with:
|
|
files: |
|
|
.github/workflows/_check-codestyle-rust.yml
|
|
.github/workflows/build-build-tools-image.yml
|
|
.github/workflows/pre-merge-checks.yml
|
|
**/**.rs
|
|
**/Cargo.toml
|
|
Cargo.toml
|
|
Cargo.lock
|
|
|
|
- name: PRINT ALL CHANGED FILES FOR DEBUG PURPOSES
|
|
env:
|
|
PYTHON_CHANGED_FILES: ${{ steps.python-src.outputs.all_changed_files }}
|
|
RUST_CHANGED_FILES: ${{ steps.rust-src.outputs.all_changed_files }}
|
|
run: |
|
|
echo "${PYTHON_CHANGED_FILES}"
|
|
echo "${RUST_CHANGED_FILES}"
|
|
|
|
- name: Merge group metadata
|
|
if: ${{ github.event_name == 'merge_group' }}
|
|
id: group-metadata
|
|
env:
|
|
MERGE_QUEUE_REF: ${{ github.event.merge_group.head_ref }}
|
|
run: |
|
|
echo $MERGE_QUEUE_REF | jq -Rr 'capture("refs/heads/gh-readonly-queue/(?<branch>.*)/pr-(?<pr_number>[0-9]+)-[0-9a-f]{40}") | ["branch=" + .branch, "pr-number=" + .pr_number] | .[]' | tee -a "${GITHUB_OUTPUT}"
|
|
|
|
build-build-tools-image:
|
|
if: |
|
|
false
|
|
|| needs.meta.outputs.python-changed == 'true'
|
|
|| needs.meta.outputs.rust-changed == 'true'
|
|
needs: [ meta ]
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
uses: ./.github/workflows/build-build-tools-image.yml
|
|
with:
|
|
# Build only one combination to save time
|
|
archs: '["x64"]'
|
|
debians: '["bookworm"]'
|
|
secrets: inherit
|
|
|
|
check-codestyle-python:
|
|
if: needs.meta.outputs.python-changed == 'true'
|
|
needs: [ meta, build-build-tools-image ]
|
|
permissions:
|
|
contents: read
|
|
packages: read
|
|
uses: ./.github/workflows/_check-codestyle-python.yml
|
|
with:
|
|
# `-bookworm-x64` suffix should match the combination in `build-build-tools-image`
|
|
build-tools-image: ${{ needs.build-build-tools-image.outputs.image }}-bookworm-x64
|
|
secrets: inherit
|
|
|
|
check-codestyle-rust:
|
|
if: needs.meta.outputs.rust-changed == 'true'
|
|
needs: [ meta, build-build-tools-image ]
|
|
permissions:
|
|
contents: read
|
|
packages: read
|
|
uses: ./.github/workflows/_check-codestyle-rust.yml
|
|
with:
|
|
# `-bookworm-x64` suffix should match the combination in `build-build-tools-image`
|
|
build-tools-image: ${{ needs.build-build-tools-image.outputs.image }}-bookworm-x64
|
|
archs: '["x64"]'
|
|
secrets: inherit
|
|
|
|
# To get items from the merge queue merged into main we need to satisfy "Status checks that are required".
|
|
# Currently we require 2 jobs (checks with exact name):
|
|
# - conclusion
|
|
# - neon-cloud-e2e
|
|
conclusion:
|
|
# Do not run job on Pull Requests as it interferes with the `conclusion` job from the `build_and_test` workflow
|
|
if: always() && github.event_name == 'merge_group'
|
|
permissions:
|
|
statuses: write # for `github.repos.createCommitStatus(...)`
|
|
contents: write
|
|
needs:
|
|
- meta
|
|
- check-codestyle-python
|
|
- check-codestyle-rust
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Create fake `neon-cloud-e2e` check
|
|
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
|
|
with:
|
|
# Retry script for 5XX server errors: https://github.com/actions/github-script#retries
|
|
retries: 5
|
|
script: |
|
|
const { repo, owner } = context.repo;
|
|
const targetUrl = `${context.serverUrl}/${owner}/${repo}/actions/runs/${context.runId}`;
|
|
|
|
await github.rest.repos.createCommitStatus({
|
|
owner: owner,
|
|
repo: repo,
|
|
sha: context.sha,
|
|
context: `neon-cloud-e2e`,
|
|
state: `success`,
|
|
target_url: targetUrl,
|
|
description: `fake check for merge queue`,
|
|
});
|
|
|
|
- name: Fail the job if any of the dependencies do not succeed or skipped
|
|
run: exit 1
|
|
if: |
|
|
false
|
|
|| (github.event_name == 'merge_group' && needs.meta.outputs.branch != 'main')
|
|
|| (needs.check-codestyle-python.result == 'skipped' && needs.meta.outputs.python-changed == 'true')
|
|
|| (needs.check-codestyle-rust.result == 'skipped' && needs.meta.outputs.rust-changed == 'true')
|
|
|| contains(needs.*.result, 'failure')
|
|
|| contains(needs.*.result, 'cancelled')
|
|
|
|
- name: Add fast-forward label to PR to trigger fast-forward merge
|
|
if: >-
|
|
${{
|
|
always()
|
|
&& github.event_name == 'merge_group'
|
|
&& contains(fromJSON('["release", "release-proxy", "release-compute"]'), needs.meta.outputs.branch)
|
|
}}
|
|
env:
|
|
GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }}
|
|
run: >-
|
|
gh pr edit ${{ needs.meta.outputs.pr-number }} --repo "${GITHUB_REPOSITORY}" --add-label "fast-forward"
|