mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-05 20:42:54 +00:00
88ea855cff
This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @areyou1or0. ## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @areyou1or0. Please merge the Pull Request to incorporate the requested changes. Please tag @areyou1or0 on your message if you have any questions related to the PR. ## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @areyou1or0. Please merge the Pull Request to incorporate the requested changes. Please tag @areyou1or0 on your message if you have any questions related to the PR. ## Security Fixes ### Least Privileged GitHub Actions Token Permissions The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) ### Pinned Dependencies GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ### Harden Runner [Harden-Runner](https://github.com/step-security/harden-runner) is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without `sudo` access. See how popular open-source projects use Harden-Runner [here](https://docs.stepsecurity.io/whos-using-harden-runner). <details> <summary>Harden runner usage</summary> You can find link to view insights and policy recommendation in the build log <img src="https://github.com/step-security/harden-runner/blob/main/images/buildlog1.png?raw=true" width="60%" height="60%"> Please refer to [documentation](https://docs.stepsecurity.io/harden-runner) to find more details. </details> will fix https://github.com/neondatabase/cloud/issues/26141
139 lines
5.0 KiB
YAML
139 lines
5.0 KiB
YAML
name: Cloud Regression Test
|
|
on:
|
|
schedule:
|
|
# * is a special character in YAML so you have to quote this string
|
|
# ┌───────────── minute (0 - 59)
|
|
# │ ┌───────────── hour (0 - 23)
|
|
# │ │ ┌───────────── day of the month (1 - 31)
|
|
# │ │ │ ┌───────────── month (1 - 12 or JAN-DEC)
|
|
# │ │ │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT)
|
|
- cron: '45 1 * * *' # run once a day, timezone is utc
|
|
workflow_dispatch: # adds ability to run this manually
|
|
|
|
defaults:
|
|
run:
|
|
shell: bash -euxo pipefail {0}
|
|
|
|
concurrency:
|
|
# Allow only one workflow
|
|
group: ${{ github.workflow }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
id-token: write # aws-actions/configure-aws-credentials
|
|
statuses: write
|
|
contents: write
|
|
|
|
jobs:
|
|
regress:
|
|
env:
|
|
POSTGRES_DISTRIB_DIR: /tmp/neon/pg_install
|
|
TEST_OUTPUT: /tmp/test_output
|
|
BUILD_TYPE: remote
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
pg-version: [16, 17]
|
|
|
|
runs-on: us-east-2
|
|
container:
|
|
image: ghcr.io/neondatabase/build-tools:pinned-bookworm
|
|
credentials:
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
options: --init
|
|
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
submodules: true
|
|
|
|
- name: Patch the test
|
|
env:
|
|
PG_VERSION: ${{matrix.pg-version}}
|
|
run: |
|
|
cd "vendor/postgres-v${PG_VERSION}"
|
|
patch -p1 < "../../compute/patches/cloud_regress_pg${PG_VERSION}.patch"
|
|
|
|
- name: Generate a random password
|
|
id: pwgen
|
|
run: |
|
|
set +x
|
|
DBPASS=$(dd if=/dev/random bs=48 count=1 2>/dev/null | base64)
|
|
echo "::add-mask::${DBPASS//\//}"
|
|
echo DBPASS="${DBPASS//\//}" >> "${GITHUB_OUTPUT}"
|
|
|
|
- name: Change tests according to the generated password
|
|
env:
|
|
DBPASS: ${{ steps.pwgen.outputs.DBPASS }}
|
|
PG_VERSION: ${{matrix.pg-version}}
|
|
run: |
|
|
cd vendor/postgres-v"${PG_VERSION}"/src/test/regress
|
|
for fname in sql/*.sql expected/*.out; do
|
|
sed -i.bak s/NEON_PASSWORD_PLACEHOLDER/"'${DBPASS}'"/ "${fname}"
|
|
done
|
|
for ph in $(grep NEON_MD5_PLACEHOLDER expected/password.out | awk '{print $3;}' | sort | uniq); do
|
|
USER=$(echo "${ph}" | cut -c 22-)
|
|
MD5=md5$(echo -n "${DBPASS}${USER}" | md5sum | awk '{print $1;}')
|
|
sed -i.bak "s/${ph}/${MD5}/" expected/password.out
|
|
done
|
|
|
|
- name: Download Neon artifact
|
|
uses: ./.github/actions/download
|
|
with:
|
|
name: neon-${{ runner.os }}-${{ runner.arch }}-release-artifact
|
|
path: /tmp/neon/
|
|
prefix: latest
|
|
aws-oicd-role-arn: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
|
|
|
|
- name: Create a new branch
|
|
id: create-branch
|
|
uses: ./.github/actions/neon-branch-create
|
|
with:
|
|
api_key: ${{ secrets.NEON_STAGING_API_KEY }}
|
|
project_id: ${{ vars[format('PGREGRESS_PG{0}_PROJECT_ID', matrix.pg-version)] }}
|
|
|
|
- name: Run the regression tests
|
|
uses: ./.github/actions/run-python-test-set
|
|
with:
|
|
build_type: ${{ env.BUILD_TYPE }}
|
|
test_selection: cloud_regress
|
|
pg_version: ${{matrix.pg-version}}
|
|
extra_params: -m remote_cluster
|
|
aws-oicd-role-arn: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
|
|
env:
|
|
BENCHMARK_CONNSTR: ${{steps.create-branch.outputs.dsn}}
|
|
|
|
- name: Delete branch
|
|
if: always()
|
|
uses: ./.github/actions/neon-branch-delete
|
|
with:
|
|
api_key: ${{ secrets.NEON_STAGING_API_KEY }}
|
|
project_id: ${{ vars[format('PGREGRESS_PG{0}_PROJECT_ID', matrix.pg-version)] }}
|
|
branch_id: ${{steps.create-branch.outputs.branch_id}}
|
|
|
|
- name: Create Allure report
|
|
id: create-allure-report
|
|
if: ${{ !cancelled() }}
|
|
uses: ./.github/actions/allure-report-generate
|
|
with:
|
|
aws-oicd-role-arn: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
|
|
|
|
- name: Post to a Slack channel
|
|
if: ${{ github.event.schedule && failure() }}
|
|
uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
|
|
with:
|
|
channel-id: ${{ vars.SLACK_ON_CALL_QA_STAGING_STREAM }}
|
|
slack-message: |
|
|
Periodic pg_regress on staging: ${{ job.status }}
|
|
<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|GitHub Run>
|
|
<${{ steps.create-allure-report.outputs.report-url }}|Allure report>
|
|
env:
|
|
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
|
|
|