Skip to content

Commit

Permalink
[release-20.0] Security improvements to GitHub Actions (#17520) (#17530)
Browse files Browse the repository at this point in the history 
Signed-off-by: Florent Poinsard <[email protected]>
Co-authored-by: Florent Poinsard <[email protected]>
  • Loading branch information
@vitess-bot @frouioui
vitess-bot[bot] and frouioui authored Jan 16, 2025
1 parent 192fa94 commit d9fed2f
Show file tree
Hide file tree
Showing 104 changed files with 913 additions and 511 deletions.
28 changes: 18 additions & 10 deletions .github/workflows/assign_milestone.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ on:
pull_request_target:
types: [opened]

permissions: read-all
permissions:
pull-requests: write
contents: read

env:
GH_TOKEN: ${{ github.token }}
Expand All @@ -13,18 +15,24 @@ jobs:
build:
name: Assign Milestone
runs-on: ubuntu-24.04
permissions:
pull-requests: write

steps:
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: 1.22.10

- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# We must explicitly checkout the base's SHA to avoid executing any code coming from
# the PR's SHA - Which would be executed in the base branch's context.
# This is really important to limit any sort of pwn requests.
ref: ${{ github.base_ref }}
persist-credentials: 'false'

- name: Assign Milestone
run: |
gh pr edit ${{ github.event.number }} --milestone "v$(sed -n 's/.*versionName.*\"\([[:digit:]\.]*\).*\"/\1/p' ./go/vt/servenv/version.go)"
# Ensure the content we sed from version.go is sanitized and match the correct format
VERSION=$(sed -n 's/.*versionName.*\"\([[:digit:]\.]*\).*\"/\1/p' ./go/vt/servenv/version.go)
if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "Invalid version format: $VERSION"
exit 1
fi
gh pr edit ${{ github.event.number }} --milestone "v$VERSION"
5 changes: 4 additions & 1 deletion .github/workflows/auto_approve_pr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,10 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: 'false'

- name: Auto Approve Pull Request
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand Down
8 changes: 5 additions & 3 deletions .github/workflows/check_make_vtadmin_authz_testgen.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,13 @@ jobs:
- name: Check out code
if: steps.skip-workflow.outputs.skip-workflow == 'false'
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: 'false'

- name: Check for changes in relevant files
if: steps.skip-workflow.outputs.skip-workflow == 'false'
uses: dorny/[email protected]
uses: dorny/paths-filter@ebc4d7e9ebcb0b1eb21480bb8f43113e996ac77a # v3.0.1
id: changes
with:
token: ''
Expand All @@ -47,7 +49,7 @@ jobs:
- '.github/workflows/check_make_vtadmin_authz_testgen.yml'
- name: Set up Go
uses: actions/setup-go@v5
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.vtadmin_changes == 'true'
with:
go-version: 1.22.10
Expand Down
10 changes: 6 additions & 4 deletions .github/workflows/check_make_vtadmin_web_proto.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,13 @@ jobs:
- name: Check out code
if: steps.skip-workflow.outputs.skip-workflow == 'false'
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: 'false'

- name: Check for changes in relevant files
if: steps.skip-workflow.outputs.skip-workflow == 'false'
uses: dorny/[email protected]
uses: dorny/paths-filter@ebc4d7e9ebcb0b1eb21480bb8f43113e996ac77a # v3.0.1
id: changes
with:
token: ''
Expand All @@ -49,14 +51,14 @@ jobs:
- '.github/workflows/check_make_vtadmin_web_proto.yml'
- name: Set up Go
uses: actions/setup-go@v5
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.proto_changes == 'true'
with:
go-version: 1.22.10

- name: Setup Node
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.proto_changes == 'true'
uses: actions/setup-node@v4
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
# node-version should match package.json
node-version: '20.12.2'
Expand Down
14 changes: 9 additions & 5 deletions .github/workflows/cluster_endtoend_12.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ env:

jobs:
build:
timeout-minutes: 60
name: Run endtoend tests on Cluster (12)
runs-on: ubuntu-24.04

Expand Down Expand Up @@ -45,11 +46,13 @@ jobs:
- name: Check out code
if: steps.skip-workflow.outputs.skip-workflow == 'false'
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: 'false'

- name: Check for changes in relevant files
if: steps.skip-workflow.outputs.skip-workflow == 'false'
uses: dorny/[email protected]
uses: dorny/paths-filter@ebc4d7e9ebcb0b1eb21480bb8f43113e996ac77a # v3.0.1
id: changes
with:
token: ''
Expand All @@ -71,13 +74,13 @@ jobs:
- name: Set up Go
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
uses: actions/setup-go@v5
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: 1.22.10

- name: Set up python
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
uses: actions/setup-python@v5
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1

- name: Tune the OS
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
Expand All @@ -91,6 +94,7 @@ jobs:
- name: Get dependencies
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
timeout-minutes: 10
run: |
# Get key to latest MySQL repo
Expand Down Expand Up @@ -160,7 +164,7 @@ jobs:
- name: Test Summary
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true' && always()
uses: test-summary/action@v2
uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
with:
paths: "report.xml"
show: "fail, skip"
14 changes: 9 additions & 5 deletions .github/workflows/cluster_endtoend_13.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ env:

jobs:
build:
timeout-minutes: 60
name: Run endtoend tests on Cluster (13)
runs-on: ubuntu-24.04

Expand Down Expand Up @@ -45,11 +46,13 @@ jobs:
- name: Check out code
if: steps.skip-workflow.outputs.skip-workflow == 'false'
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: 'false'

- name: Check for changes in relevant files
if: steps.skip-workflow.outputs.skip-workflow == 'false'
uses: dorny/[email protected]
uses: dorny/paths-filter@ebc4d7e9ebcb0b1eb21480bb8f43113e996ac77a # v3.0.1
id: changes
with:
token: ''
Expand All @@ -71,13 +74,13 @@ jobs:
- name: Set up Go
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
uses: actions/setup-go@v5
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: 1.22.10

- name: Set up python
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
uses: actions/setup-python@v5
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1

- name: Tune the OS
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
Expand All @@ -91,6 +94,7 @@ jobs:
- name: Get dependencies
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
timeout-minutes: 10
run: |
# Get key to latest MySQL repo
Expand Down Expand Up @@ -160,7 +164,7 @@ jobs:
- name: Test Summary
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true' && always()
uses: test-summary/action@v2
uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
with:
paths: "report.xml"
show: "fail, skip"
14 changes: 9 additions & 5 deletions .github/workflows/cluster_endtoend_15.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ env:

jobs:
build:
timeout-minutes: 60
name: Run endtoend tests on Cluster (15)
runs-on: ubuntu-24.04

Expand Down Expand Up @@ -45,11 +46,13 @@ jobs:
- name: Check out code
if: steps.skip-workflow.outputs.skip-workflow == 'false'
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: 'false'

- name: Check for changes in relevant files
if: steps.skip-workflow.outputs.skip-workflow == 'false'
uses: dorny/[email protected]
uses: dorny/paths-filter@ebc4d7e9ebcb0b1eb21480bb8f43113e996ac77a # v3.0.1
id: changes
with:
token: ''
Expand All @@ -71,13 +74,13 @@ jobs:
- name: Set up Go
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
uses: actions/setup-go@v5
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: 1.22.10

- name: Set up python
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
uses: actions/setup-python@v5
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1

- name: Tune the OS
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
Expand All @@ -91,6 +94,7 @@ jobs:
- name: Get dependencies
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
timeout-minutes: 10
run: |
# Get key to latest MySQL repo
Expand Down Expand Up @@ -160,7 +164,7 @@ jobs:
- name: Test Summary
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true' && always()
uses: test-summary/action@v2
uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
with:
paths: "report.xml"
show: "fail, skip"
14 changes: 9 additions & 5 deletions .github/workflows/cluster_endtoend_18.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ env:

jobs:
build:
timeout-minutes: 60
name: Run endtoend tests on Cluster (18)
runs-on: ubuntu-24.04

Expand Down Expand Up @@ -45,11 +46,13 @@ jobs:
- name: Check out code
if: steps.skip-workflow.outputs.skip-workflow == 'false'
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: 'false'

- name: Check for changes in relevant files
if: steps.skip-workflow.outputs.skip-workflow == 'false'
uses: dorny/[email protected]
uses: dorny/paths-filter@ebc4d7e9ebcb0b1eb21480bb8f43113e996ac77a # v3.0.1
id: changes
with:
token: ''
Expand All @@ -71,13 +74,13 @@ jobs:
- name: Set up Go
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
uses: actions/setup-go@v5
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: 1.22.10

- name: Set up python
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
uses: actions/setup-python@v5
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1

- name: Tune the OS
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
Expand All @@ -91,6 +94,7 @@ jobs:
- name: Get dependencies
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
timeout-minutes: 10
run: |
# Get key to latest MySQL repo
Expand Down Expand Up @@ -165,7 +169,7 @@ jobs:
- name: Test Summary
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true' && always()
uses: test-summary/action@v2
uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
with:
paths: "report.xml"
show: "fail, skip"
14 changes: 9 additions & 5 deletions .github/workflows/cluster_endtoend_21.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ env:

jobs:
build:
timeout-minutes: 60
name: Run endtoend tests on Cluster (21)
runs-on: ubuntu-24.04

Expand Down Expand Up @@ -45,11 +46,13 @@ jobs:
- name: Check out code
if: steps.skip-workflow.outputs.skip-workflow == 'false'
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: 'false'

- name: Check for changes in relevant files
if: steps.skip-workflow.outputs.skip-workflow == 'false'
uses: dorny/[email protected]
uses: dorny/paths-filter@ebc4d7e9ebcb0b1eb21480bb8f43113e996ac77a # v3.0.1
id: changes
with:
token: ''
Expand All @@ -71,13 +74,13 @@ jobs:
- name: Set up Go
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
uses: actions/setup-go@v5
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: 1.22.10

- name: Set up python
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
uses: actions/setup-python@v5
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1

- name: Tune the OS
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
Expand All @@ -91,6 +94,7 @@ jobs:
- name: Get dependencies
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true'
timeout-minutes: 10
run: |
# Get key to latest MySQL repo
Expand Down Expand Up @@ -160,7 +164,7 @@ jobs:
- name: Test Summary
if: steps.skip-workflow.outputs.skip-workflow == 'false' && steps.changes.outputs.end_to_end == 'true' && always()
uses: test-summary/action@v2
uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
with:
paths: "report.xml"
show: "fail, skip"
Loading

0 comments on commit d9fed2f

Please sign in to comment.