mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-07 13:32:57 +00:00
88ea855cff
This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @areyou1or0. ## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @areyou1or0. Please merge the Pull Request to incorporate the requested changes. Please tag @areyou1or0 on your message if you have any questions related to the PR. ## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @areyou1or0. Please merge the Pull Request to incorporate the requested changes. Please tag @areyou1or0 on your message if you have any questions related to the PR. ## Security Fixes ### Least Privileged GitHub Actions Token Permissions The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) ### Pinned Dependencies GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ### Harden Runner [Harden-Runner](https://github.com/step-security/harden-runner) is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without `sudo` access. See how popular open-source projects use Harden-Runner [here](https://docs.stepsecurity.io/whos-using-harden-runner). <details> <summary>Harden runner usage</summary> You can find link to view insights and policy recommendation in the build log <img src="https://github.com/step-security/harden-runner/blob/main/images/buildlog1.png?raw=true" width="60%" height="60%"> Please refer to [documentation](https://docs.stepsecurity.io/harden-runner) to find more details. </details> will fix https://github.com/neondatabase/cloud/issues/26141
101 lines
3.3 KiB
YAML
101 lines
3.3 KiB
YAML
name: Create Release PR
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
component-name:
|
|
description: 'Component name'
|
|
required: true
|
|
type: string
|
|
source-branch:
|
|
description: 'Source branch'
|
|
required: true
|
|
type: string
|
|
secrets:
|
|
ci-access-token:
|
|
description: 'CI access token'
|
|
required: true
|
|
|
|
defaults:
|
|
run:
|
|
shell: bash -euo pipefail {0}
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
create-release-branch:
|
|
runs-on: ubuntu-22.04
|
|
|
|
permissions:
|
|
contents: write # for `git push`
|
|
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
ref: ${{ inputs.source-branch }}
|
|
fetch-depth: 0
|
|
|
|
- name: Set variables
|
|
id: vars
|
|
env:
|
|
COMPONENT_NAME: ${{ inputs.component-name }}
|
|
RELEASE_BRANCH: >-
|
|
${{
|
|
false
|
|
|| inputs.component-name == 'Storage' && 'release'
|
|
|| inputs.component-name == 'Proxy' && 'release-proxy'
|
|
|| inputs.component-name == 'Compute' && 'release-compute'
|
|
}}
|
|
run: |
|
|
today=$(date +'%Y-%m-%d')
|
|
echo "title=${COMPONENT_NAME} release ${today}" | tee -a ${GITHUB_OUTPUT}
|
|
echo "rc-branch=rc/${RELEASE_BRANCH}/${today}" | tee -a ${GITHUB_OUTPUT}
|
|
echo "release-branch=${RELEASE_BRANCH}" | tee -a ${GITHUB_OUTPUT}
|
|
|
|
- name: Configure git
|
|
run: |
|
|
git config user.name "github-actions[bot]"
|
|
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
|
|
|
- name: Create RC branch
|
|
env:
|
|
RELEASE_BRANCH: ${{ steps.vars.outputs.release-branch }}
|
|
RC_BRANCH: ${{ steps.vars.outputs.rc-branch }}
|
|
TITLE: ${{ steps.vars.outputs.title }}
|
|
run: |
|
|
git switch -c "${RC_BRANCH}"
|
|
|
|
# Manually create a merge commit on the current branch, keeping the
|
|
# tree and setting the parents to the current HEAD and the HEAD of the
|
|
# release branch. This commit is what we'll fast-forward the release
|
|
# branch to when merging the release branch.
|
|
# For details on why, look at
|
|
# https://docs.neon.build/overview/repositories/neon.html#background-on-commit-history-of-release-prs
|
|
current_tree=$(git rev-parse 'HEAD^{tree}')
|
|
release_head=$(git rev-parse "origin/${RELEASE_BRANCH}")
|
|
current_head=$(git rev-parse HEAD)
|
|
merge_commit=$(git commit-tree -p "${current_head}" -p "${release_head}" -m "${TITLE}" "${current_tree}")
|
|
|
|
# Fast-forward the current branch to the newly created merge_commit
|
|
git merge --ff-only ${merge_commit}
|
|
|
|
git push origin "${RC_BRANCH}"
|
|
|
|
- name: Create a PR into ${{ steps.vars.outputs.release-branch }}
|
|
env:
|
|
GH_TOKEN: ${{ secrets.ci-access-token }}
|
|
RC_BRANCH: ${{ steps.vars.outputs.rc-branch }}
|
|
RELEASE_BRANCH: ${{ steps.vars.outputs.release-branch }}
|
|
TITLE: ${{ steps.vars.outputs.title }}
|
|
run: |
|
|
gh pr create --title "${TITLE}" \
|
|
--body "" \
|
|
--head "${RC_BRANCH}" \
|
|
--base "${RELEASE_BRANCH}"
|