mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-07 05:22:56 +00:00
88ea855cff
This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @areyou1or0. ## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @areyou1or0. Please merge the Pull Request to incorporate the requested changes. Please tag @areyou1or0 on your message if you have any questions related to the PR. ## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @areyou1or0. Please merge the Pull Request to incorporate the requested changes. Please tag @areyou1or0 on your message if you have any questions related to the PR. ## Security Fixes ### Least Privileged GitHub Actions Token Permissions The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) ### Pinned Dependencies GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ### Harden Runner [Harden-Runner](https://github.com/step-security/harden-runner) is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without `sudo` access. See how popular open-source projects use Harden-Runner [here](https://docs.stepsecurity.io/whos-using-harden-runner). <details> <summary>Harden runner usage</summary> You can find link to view insights and policy recommendation in the build log <img src="https://github.com/step-security/harden-runner/blob/main/images/buildlog1.png?raw=true" width="60%" height="60%"> Please refer to [documentation](https://docs.stepsecurity.io/harden-runner) to find more details. </details> will fix https://github.com/neondatabase/cloud/issues/26141
150 lines
6.9 KiB
YAML
150 lines
6.9 KiB
YAML
name: Generate run metadata
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
github-event-name:
|
|
type: string
|
|
required: true
|
|
outputs:
|
|
build-tag:
|
|
description: "Tag for the current workflow run"
|
|
value: ${{ jobs.tags.outputs.build-tag }}
|
|
release-tag:
|
|
description: "Tag for the release if this is an RC PR run"
|
|
value: ${{ jobs.tags.outputs.release-tag }}
|
|
previous-storage-release:
|
|
description: "Tag of the last storage release"
|
|
value: ${{ jobs.tags.outputs.storage }}
|
|
previous-proxy-release:
|
|
description: "Tag of the last proxy release"
|
|
value: ${{ jobs.tags.outputs.proxy }}
|
|
previous-compute-release:
|
|
description: "Tag of the last compute release"
|
|
value: ${{ jobs.tags.outputs.compute }}
|
|
run-kind:
|
|
description: "The kind of run we're currently in. Will be one of `push-main`, `storage-release`, `compute-release`, `proxy-release`, `storage-rc-pr`, `compute-rc-pr`, `proxy-rc-pr`, `pr`, or `workflow-dispatch`"
|
|
value: ${{ jobs.tags.outputs.run-kind }}
|
|
release-pr-run-id:
|
|
description: "Only available if `run-kind in [storage-release, proxy-release, compute-release]`. Contains the run ID of the `Build and Test` workflow, assuming one with the current commit can be found."
|
|
value: ${{ jobs.tags.outputs.release-pr-run-id }}
|
|
|
|
permissions: {}
|
|
|
|
defaults:
|
|
run:
|
|
shell: bash -euo pipefail {0}
|
|
|
|
jobs:
|
|
tags:
|
|
runs-on: ubuntu-22.04
|
|
outputs:
|
|
build-tag: ${{ steps.build-tag.outputs.build-tag }}
|
|
release-tag: ${{ steps.build-tag.outputs.release-tag }}
|
|
compute: ${{ steps.previous-releases.outputs.compute }}
|
|
proxy: ${{ steps.previous-releases.outputs.proxy }}
|
|
storage: ${{ steps.previous-releases.outputs.storage }}
|
|
run-kind: ${{ steps.run-kind.outputs.run-kind }}
|
|
release-pr-run-id: ${{ steps.release-pr-run-id.outputs.release-pr-run-id }}
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
# Need `fetch-depth: 0` to count the number of commits in the branch
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Get run kind
|
|
id: run-kind
|
|
env:
|
|
RUN_KIND: >-
|
|
${{
|
|
false
|
|
|| (inputs.github-event-name == 'push' && github.ref_name == 'main') && 'push-main'
|
|
|| (inputs.github-event-name == 'push' && github.ref_name == 'release') && 'storage-release'
|
|
|| (inputs.github-event-name == 'push' && github.ref_name == 'release-compute') && 'compute-release'
|
|
|| (inputs.github-event-name == 'push' && github.ref_name == 'release-proxy') && 'proxy-release'
|
|
|| (inputs.github-event-name == 'pull_request' && github.base_ref == 'release') && 'storage-rc-pr'
|
|
|| (inputs.github-event-name == 'pull_request' && github.base_ref == 'release-compute') && 'compute-rc-pr'
|
|
|| (inputs.github-event-name == 'pull_request' && github.base_ref == 'release-proxy') && 'proxy-rc-pr'
|
|
|| (inputs.github-event-name == 'pull_request') && 'pr'
|
|
|| (inputs.github-event-name == 'workflow_dispatch') && 'workflow-dispatch'
|
|
|| 'unknown'
|
|
}}
|
|
run: |
|
|
echo "run-kind=$RUN_KIND" | tee -a $GITHUB_OUTPUT
|
|
|
|
- name: Get build tag
|
|
id: build-tag
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
CURRENT_BRANCH: ${{ github.head_ref || github.ref_name }}
|
|
CURRENT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
RUN_KIND: ${{ steps.run-kind.outputs.run-kind }}
|
|
run: |
|
|
case $RUN_KIND in
|
|
push-main)
|
|
echo "build-tag=$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
|
|
;;
|
|
storage-release)
|
|
echo "build-tag=release-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
|
|
;;
|
|
proxy-release)
|
|
echo "build-tag=release-proxy-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
|
|
;;
|
|
compute-release)
|
|
echo "build-tag=release-compute-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
|
|
;;
|
|
pr|storage-rc-pr|compute-rc-pr|proxy-rc-pr)
|
|
BUILD_AND_TEST_RUN_ID=$(gh api --paginate \
|
|
-H "Accept: application/vnd.github+json" \
|
|
-H "X-GitHub-Api-Version: 2022-11-28" \
|
|
"/repos/${GITHUB_REPOSITORY}/actions/runs?head_sha=${CURRENT_SHA}&branch=${CURRENT_BRANCH}" \
|
|
| jq '[.workflow_runs[] | select(.name == "Build and Test")][0].id // ("Error: No matching workflow run found." | halt_error(1))')
|
|
echo "build-tag=$BUILD_AND_TEST_RUN_ID" | tee -a $GITHUB_OUTPUT
|
|
case $RUN_KIND in
|
|
storage-rc-pr)
|
|
echo "release-tag=release-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
|
|
;;
|
|
proxy-rc-pr)
|
|
echo "release-tag=release-proxy-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
|
|
;;
|
|
compute-rc-pr)
|
|
echo "release-tag=release-compute-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
|
|
;;
|
|
esac
|
|
;;
|
|
workflow-dispatch)
|
|
echo "build-tag=$GITHUB_RUN_ID" | tee -a $GITHUB_OUTPUT
|
|
;;
|
|
*)
|
|
echo "Unexpected RUN_KIND ('${RUN_KIND}'), failing to assign build-tag!"
|
|
exit 1
|
|
esac
|
|
|
|
- name: Get the previous release-tags
|
|
id: previous-releases
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
gh api --paginate \
|
|
-H "Accept: application/vnd.github+json" \
|
|
-H "X-GitHub-Api-Version: 2022-11-28" \
|
|
"/repos/${GITHUB_REPOSITORY}/releases" \
|
|
| jq -f .github/scripts/previous-releases.jq -r \
|
|
| tee -a "${GITHUB_OUTPUT}"
|
|
|
|
- name: Get the release PR run ID
|
|
id: release-pr-run-id
|
|
if: ${{ contains(fromJSON('["storage-release", "compute-release", "proxy-release"]'), steps.run-kind.outputs.run-kind) }}
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
CURRENT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
run: |
|
|
RELEASE_PR_RUN_ID=$(gh api "/repos/${GITHUB_REPOSITORY}/actions/runs?head_sha=$CURRENT_SHA" | jq '[.workflow_runs[] | select(.name == "Build and Test") | select(.head_branch | test("^rc/release(-(proxy|compute))?/[0-9]{4}-[0-9]{2}-[0-9]{2}$"; "s"))] | first | .id // ("Failed to find Build and Test run from RC PR!" | halt_error(1))')
|
|
echo "release-pr-run-id=$RELEASE_PR_RUN_ID" | tee -a $GITHUB_OUTPUT
|