diff --git a/.github/workflows/copy_csp_blocks.yml b/.github/workflows/copy_csp_blocks.yml deleted file mode 100644 index eb19898a91..0000000000 --- a/.github/workflows/copy_csp_blocks.yml +++ /dev/null @@ -1,194 +0,0 @@ -name: Copy CSP Blocks -# Upon merge of a PR in which 'server/configs/application.properties' was updated... -# this workflow copies the Content Security Policy blocks to other repos, as marked by: -# start: "## START OF CSP COPY BLOCK" or "## START OF CSP ENFORCE BLOCK" (to only copy and uncomment the csp.enforce section) -# end: "## END OF CSP COPY BLOCK" or "## END OF CSP ENFORCE BLOCK" -# note: if the contents between the start/end have not changed, it's a no-op, and no PRs are pushed to the target repos - -on: - pull_request: - types: - - closed - branches: - - develop - paths: - - server/configs/application.properties - -jobs: - copy_csp: - if: github.event.pull_request.merged - runs-on: ubuntu-latest - outputs: - csp_report_on: ${{ steps.cspvars.outputs.csp_report_on }} - csp_enforce_off: ${{ steps.cspvars.outputs.csp_enforce_off }} - csp_enforce_on: ${{ steps.cspvars.outputs.csp_enforce_on }} - steps: - - name: Check Out Code - uses: actions/checkout@v4 - with: - ref: ${{ github.event.pull_request.head.sha }} - - - name: Copy CSP blocks into vars - id: cspvars - run: | - # report block, fixing report-uri for non-teamcity usage: - CSP_REPORT_ON=$( awk '/## END OF CSP REPORT BLOCK/{p=0};p;/## START OF CSP REPORT BLOCK/{p=1}' server/configs/application.properties |\ - sed 's/report-uri /report-uri https:\/\/www.labkey.org/' ) - - # enforce block, fixing report-uri for non-teamcity usage, removing useLocalBuild comment, adding upgrade-insecure-requests: - CSP_ENFORCE_OFF=$( awk '/## END OF CSP ENFORCE BLOCK/{p=0};p;/## START OF CSP ENFORCE BLOCK/{p=1}' server/configs/application.properties |\ - sed 's/^#useLocalBuild#/# /' |\ - sed '/base-uri/a# upgrade-insecure-requests ;\\' |\ - sed 's/report-uri /report-uri https:\/\/www.labkey.org/' ) - - # enforce block, uncommented: - CSP_ENFORCE_ON=$( awk '/## END OF CSP ENFORCE BLOCK/{p=0};p;/## START OF CSP ENFORCE BLOCK/{p=1}' server/configs/application.properties |\ - sed 's/^#useLocalBuild#//' |\ - sed '/base-uri/a\ upgrade-insecure-requests ;\\' |\ - sed 's/report-uri /report-uri https:\/\/www.labkey.org/' ) - - # use unique delimiter for multiline outputs: https://stackoverflow.com/a/74256214 - delimiter="$(openssl rand -hex 8)" - - echo "csp_report_on<<${delimiter}" >> "${GITHUB_OUTPUT}" - echo "$CSP_REPORT_ON" >> "${GITHUB_OUTPUT}" - echo "${delimiter}" >> "${GITHUB_OUTPUT}" - - echo "csp_enforce_off<<${delimiter}" >> "${GITHUB_OUTPUT}" - echo "$CSP_ENFORCE_OFF" >> "${GITHUB_OUTPUT}" - echo "${delimiter}" >> "${GITHUB_OUTPUT}" - - echo "csp_enforce_on<<${delimiter}" >> "${GITHUB_OUTPUT}" - echo "$CSP_ENFORCE_ON" >> "${GITHUB_OUTPUT}" - echo "${delimiter}" >> "${GITHUB_OUTPUT}" - - paste_csp_into_chef_repo: - needs: copy_csp - runs-on: ubuntu-latest - env: - csp_report_on: ${{ needs.copy_csp.outputs.csp_report_on }} - csp_enforce_off: ${{ needs.copy_csp.outputs.csp_enforce_off }} - ap_file: "cookbooks/lk_appserver/templates/default/application.properties.erb" - steps: - - name: Check out repo - uses: actions/checkout@v4 - with: - repository: LabKey/syseng-chef-server - token: ${{ secrets.TERRAFORM_TOKEN }} - - name: Paste Into Chef Repo - run: | - printf "\n\n>>>> $ap_file before I change it: <<<<\n\n" - cat $ap_file - - printf "\n\n>>>> caught csp_report_on env var: <<<<\n$csp_report_on n\n" - printf "\n\n>>>> caught csp_enforce_off env var: <<<<\n$csp_enforce_off n\n" - - printf "\n\n>>>> replacing csp blocks in $ap_file <<<<\n\n" - - python <>>> updated $ap_file: <<<<\n\n" - cat $ap_file - - git status - if [[ $(git diff-index --name-only HEAD |grep application.properties) ]]; then - printf "\n\n>>>> changes detected, so updating chef recipe version <<<<\n\n" - NEW_VER=$(grep version cookbooks/lk_appserver/metadata.rb |cut -d '"' -f 2 |awk -F. -v OFS=. '{$NF += 1 ; print}') - sed -i 's/\(version.*\)".*"/\1"'$NEW_VER'"/' cookbooks/lk_appserver/metadata.rb - sed -i 's/\(lk_appserver .*\)([0-9]*.[0-9]*.[0-9]*)/\1('$NEW_VER')/' Berksfile.lock - fi - - - name: Create Pull Request - id: cpr - uses: peter-evans/create-pull-request@v7 - with: - token: ${{ secrets.TERRAFORM_TOKEN }} - branch: fb_update_csp_per_${{ github.sha }} - title: "update CSP to match commit ${{ github.sha }}" - body: "update CSP to match commit ${{ github.sha }}" - commit-message: "update CSP to match commit ${{ github.sha }}" - add-paths: | - ${{ env.ap_file }} - cookbooks/lk_appserver/metadata.rb - Berksfile.lock - - - name: Check outputs - if: ${{ steps.cpr.outputs.pull-request-number }} - run: | - echo "Chef Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" >> $GITHUB_STEP_SUMMARY - - paste_csp_into_dockerfile_repo: - needs: copy_csp - runs-on: ubuntu-latest - env: - csp_report_on: ${{ needs.copy_csp.outputs.csp_report_on }} - csp_enforce_on: ${{ needs.copy_csp.outputs.csp_enforce_on }} - ap_file: "application.properties" - steps: - - name: Check out repo - uses: actions/checkout@v4 - with: - repository: Labkey/Dockerfile - token: ${{ secrets.TERRAFORM_TOKEN }} - - name: Paste Into Dockerfile Repo - run: | - printf "\n\n>>>> $ap_file before I change it: <<<<\n\n" - cat $ap_file - - printf "\n\n>>>> caught csp_report_on env var: <<<<\n$csp_report_on n\n" - printf "\n\n>>>> caught csp_enforce_on env var:<<<<\n$csp_enforce_on\n\n" - - printf "\n\n>>>> replacing csp block in $ap_file <<<<\n\n" - - python <>>> updated $ap_file: <<<<\n\n" - cat $ap_file - - - name: Create Pull Request - id: cpr - uses: peter-evans/create-pull-request@v7 - with: - token: ${{ secrets.TERRAFORM_TOKEN }} - branch: fb_update_csp_per_${{ github.sha }} - title: "update CSP to match commit ${{ github.sha }}" - body: "update CSP to match commit ${{ github.sha }}" - commit-message: "update CSP to match commit ${{ github.sha }}" - add-paths: ${{ env.ap_file }} - - - name: Check outputs - if: ${{ steps.cpr.outputs.pull-request-number }} - run: | - echo "Dockerfile Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" >> $GITHUB_STEP_SUMMARY