mirror of
https://github.com/neondatabase/neon.git
synced 2026-07-07 22:20:36 +00:00
This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @areyou1or0. ## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @areyou1or0. Please merge the Pull Request to incorporate the requested changes. Please tag @areyou1or0 on your message if you have any questions related to the PR. ## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @areyou1or0. Please merge the Pull Request to incorporate the requested changes. Please tag @areyou1or0 on your message if you have any questions related to the PR. ## Security Fixes ### Least Privileged GitHub Actions Token Permissions The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) ### Pinned Dependencies GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ### Harden Runner [Harden-Runner](https://github.com/step-security/harden-runner) is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without `sudo` access. See how popular open-source projects use Harden-Runner [here](https://docs.stepsecurity.io/whos-using-harden-runner). <details> <summary>Harden runner usage</summary> You can find link to view insights and policy recommendation in the build log <img src="https://github.com/step-security/harden-runner/blob/main/images/buildlog1.png?raw=true" width="60%" height="60%"> Please refer to [documentation](https://docs.stepsecurity.io/harden-runner) to find more details. </details> will fix https://github.com/neondatabase/cloud/issues/26141
110 lines
4.1 KiB
YAML
110 lines
4.1 KiB
YAML
name: Push images to Container Registry
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
# Example: {"docker.io/neondatabase/neon:13196061314":["${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_ECR_REGION }}.amazonaws.com/neon:13196061314","neoneastus2.azurecr.io/neondatabase/neon:13196061314"]}
|
|
image-map:
|
|
description: JSON map of images, mapping from a source image to an array of target images that should be pushed.
|
|
required: true
|
|
type: string
|
|
aws-region:
|
|
description: AWS region to log in to. Required when pushing to ECR.
|
|
required: false
|
|
type: string
|
|
aws-account-id:
|
|
description: AWS account ID to log in to for pushing to ECR. Required when pushing to ECR.
|
|
required: false
|
|
type: string
|
|
aws-role-to-assume:
|
|
description: AWS role to assume to for pushing to ECR. Required when pushing to ECR.
|
|
required: false
|
|
type: string
|
|
azure-client-id:
|
|
description: Client ID of Azure managed identity or Entra app. Required when pushing to ACR.
|
|
required: false
|
|
type: string
|
|
azure-subscription-id:
|
|
description: Azure subscription ID. Required when pushing to ACR.
|
|
required: false
|
|
type: string
|
|
azure-tenant-id:
|
|
description: Azure tenant ID. Required when pushing to ACR.
|
|
required: false
|
|
type: string
|
|
acr-registry-name:
|
|
description: ACR registry name. Required when pushing to ACR.
|
|
required: false
|
|
type: string
|
|
|
|
permissions: {}
|
|
|
|
defaults:
|
|
run:
|
|
shell: bash -euo pipefail {0}
|
|
|
|
jobs:
|
|
push-to-container-registry:
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
id-token: write # Required for aws/azure login
|
|
packages: write # required for pushing to GHCR
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
sparse-checkout: .github/scripts/push_with_image_map.py
|
|
sparse-checkout-cone-mode: false
|
|
|
|
- name: Print image-map
|
|
run: echo '${{ inputs.image-map }}' | jq
|
|
|
|
- name: Configure AWS credentials
|
|
if: contains(inputs.image-map, 'amazonaws.com/')
|
|
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
|
with:
|
|
aws-region: "${{ inputs.aws-region }}"
|
|
role-to-assume: "arn:aws:iam::${{ inputs.aws-account-id }}:role/${{ inputs.aws-role-to-assume }}"
|
|
role-duration-seconds: 3600
|
|
|
|
- name: Login to ECR
|
|
if: contains(inputs.image-map, 'amazonaws.com/')
|
|
uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
|
|
with:
|
|
registries: "${{ inputs.aws-account-id }}"
|
|
|
|
- name: Configure Azure credentials
|
|
if: contains(inputs.image-map, 'azurecr.io/')
|
|
uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # @v2.1.1
|
|
with:
|
|
client-id: ${{ inputs.azure-client-id }}
|
|
subscription-id: ${{ inputs.azure-subscription-id }}
|
|
tenant-id: ${{ inputs.azure-tenant-id }}
|
|
|
|
- name: Login to ACR
|
|
if: contains(inputs.image-map, 'azurecr.io/')
|
|
run: |
|
|
az acr login --name=${{ inputs.acr-registry-name }}
|
|
|
|
- name: Login to GHCR
|
|
if: contains(inputs.image-map, 'ghcr.io/')
|
|
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Log in to Docker Hub
|
|
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
|
|
with:
|
|
username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
|
|
password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
|
|
|
|
- name: Copy docker images to target registries
|
|
run: python3 .github/scripts/push_with_image_map.py
|
|
env:
|
|
IMAGE_MAP: ${{ inputs.image-map }}
|