Tracking pull request to merge release-0.5.0 to main#455
Tracking pull request to merge release-0.5.0 to main#455kuanfandevops wants to merge 27 commits intomainfrom
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Calculate pre-release number | ||
| runs-on: ubuntu-latest | ||
|
|
||
| outputs: | ||
| output1: ${{ steps.set-pre-release.outputs.PRE_RELEASE }} | ||
|
|
||
| steps: | ||
| - id: set-pre-release | ||
| run: echo "PRE_RELEASE=$(date +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT | ||
|
|
||
| build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, you should add a permissions block to the workflow YAML file. The best practice is to add it at the top level of the workflow, so it applies to all jobs unless overridden. The minimal starting point is to set contents: read, which allows jobs to read repository contents but not write. If any job requires additional permissions (such as writing to issues or pull requests), you can add those as needed. In this case, based on the provided jobs, it appears that only read access to repository contents is required, so contents: read is sufficient. The change should be made near the top of the file, after the name: and before the on: block.
| @@ -4,2 +4,5 @@ | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: |
| name: Build CTHUB | ||
| runs-on: ubuntu-latest | ||
| needs: set-pre-release | ||
| timeout-minutes: 60 | ||
|
|
||
| env: | ||
| PRE_RELEASE: ${{ needs.set-pre-release.outputs.output1 }} | ||
|
|
||
| steps: | ||
|
|
||
| - name: Check out repository | ||
| uses: actions/checkout@v4.1.1 | ||
|
|
||
| - name: Log in to Openshift | ||
| uses: redhat-actions/oc-login@v1.3 | ||
| with: | ||
| openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }} | ||
| openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} | ||
| insecure_skip_tls_verify: true | ||
| namespace: ${{ env.TOOLS_NAMESPACE }} | ||
|
|
||
| - name: Build CTHUB Backend | ||
| run: | | ||
| cd openshift/templates/backend | ||
| oc process -f ./backend-bc-docker.yaml NAME=cthub SUFFIX=-${{ env.VERSION }}-${{ env.PRE_RELEASE }} VERSION=${{ env.VERSION }}-${{ env.PRE_RELEASE }} GIT_URL=${{ env.GIT_URL }} GIT_REF=release-${{ env.VERSION }} | oc apply --wait=true -f - -n ${{ env.TOOLS_NAMESPACE }} | ||
| sleep 5s | ||
| oc -n ${{ env.TOOLS_NAMESPACE }} wait --for=condition=Complete --timeout=900s build/cthub-backend-${{ env.VERSION }}-${{ env.PRE_RELEASE }}-1 | ||
| oc tag ${{ env.TOOLS_NAMESPACE }}/cthub-backend:${{ env.VERSION }}-${{ env.PRE_RELEASE }} ${{ env.DEV_NAMESPACE }}/cthub-backend:${{ env.VERSION }}-${{ env.PRE_RELEASE }} | ||
|
|
||
| deploy: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, add a permissions block to the workflow file. The most secure approach is to set the permissions at the workflow level (top-level), which applies to all jobs unless overridden. Since the jobs in this workflow do not appear to require any write access to the repository (no steps push code, create PRs, etc.—the only commented-out section that would require write access is currently disabled), the minimal permission required is contents: read. This will ensure the GITHUB_TOKEN can only read repository contents, not write or perform other privileged actions. The permissions block should be added after the name field and before on:.
| @@ -3,2 +3,4 @@ | ||
| name: CTHUB Replace DC on Dev | ||
| permissions: | ||
| contents: read | ||
|
|
| name: Deploy CTHUB on Dev | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 60 | ||
| needs: [set-pre-release, build] | ||
|
|
||
| env: | ||
| PRE_RELEASE: ${{ needs.set-pre-release.outputs.output1 }} | ||
|
|
||
| steps: | ||
|
|
||
| - name: Checkout Manifest repository | ||
| uses: actions/checkout@v4.1.1 | ||
| with: | ||
| repository: bcgov-c/tenant-gitops-30b186 | ||
| ref: main | ||
| ssh-key: ${{ secrets.MANIFEST_REPO_DEPLOY_KEY }} | ||
|
|
||
| - name: Update tags | ||
| uses: mikefarah/yq@v4.40.5 | ||
| with: | ||
| cmd: | | ||
| yq -i '.backend.image.tag = "${{ env.VERSION }}-${{ env.PRE_RELEASE }}"' cthub/values-dev.yaml | ||
|
|
||
| # - name: GitHub Commit & Push | ||
| # run: | | ||
| # git config --global user.email "actions@github.com" | ||
| # git config --global user.name "GitHub Actions" | ||
| # git add cthub/values-dev.yaml | ||
| # git commit -m "Update the image tag to ${{ env.VERSION }}-${{ env.PRE_RELEASE }} on Dev" | ||
| # git push | ||
|
|
||
| - name: Log in to Openshift | ||
| uses: redhat-actions/oc-login@v1.3 | ||
| with: | ||
| openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }} | ||
| openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} | ||
| insecure_skip_tls_verify: true | ||
| namespace: ${{ env.TOOLS_NAMESPACE }} | ||
|
|
||
| - name: Tag and deploy to Prod | ||
| run: | | ||
| helm -n ${{ env.PROD_NAMESPACE }} list | ||
| oc tag ${{ env.DEV_NAMESPACE }}/tfrs-backend:${{ env.BUILD_SUFFIX }} ${{ env.PROD_NAMESPACE }}/tfrs-backend:${{ env.BUILD_SUFFIX }} | ||
|
|
||
| - name: Helm Deployment | ||
| run: | | ||
| cd tfrs/charts/backend | ||
| helm -n ${{ env.PROD_NAMESPACE }} -f ./values-dev.yaml upgrade --install cthub-dev-backend . \ | ||
| --set podAnnotations.rolloutTriggered="A$(date +%s)E" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, add a permissions block to the workflow YAML file. The block should be placed at the top level (before jobs:) to apply to all jobs, unless a job needs more specific permissions. Since the workflow only checks out code and does not push changes (the push step is commented out), the minimal required permission is contents: read. If in the future the commented-out git push step is enabled, you may need to add contents: write or pull-requests: write, but for now, contents: read is sufficient. The change should be made near the top of the file, after the name: and before on:.
| @@ -4,2 +4,5 @@ | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: |
* Django command file to decode vins * decoding command * small change * remove previous script --------- Co-authored-by: julianforeman <julianforeman@me.com>
* initial commit * add max_rss setting to django-q configuration * remove decoding command * small change
* Added file permissions to node_modules * Remove volume in docker-compose
* chore: updates for local development * small fix
| name: Push dependent images to Artifactory | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Install skopeo | ||
| run: | | ||
| sudo apt-get update | ||
| sudo apt-get install -y skopeo | ||
|
|
||
| - name: Login to Artifactory | ||
| run: | | ||
| set -euo pipefail | ||
| AUTH_CURL_FLAGS=(-H "X-JFrog-Art-Api: ${ARTIFACTORY_API_KEY}") | ||
| AUTH_PASSWORD="${ARTIFACTORY_API_KEY}" | ||
|
|
||
| curl -fsS "${AUTH_CURL_FLAGS[@]}" \ | ||
| "https://${ARTIFACTORY_REGISTRY}/artifactory/api/system/ping" | ||
| REPO_INFO="$(curl -fsS "${AUTH_CURL_FLAGS[@]}" \ | ||
| "https://${ARTIFACTORY_REGISTRY}/artifactory/api/repositories/${ARTIFACTORY_REPO}")" | ||
| echo "${REPO_INFO}" | tr -d '\n' | grep -Eq '"packageType"[[:space:]]*:[[:space:]]*"docker"' || \ | ||
| { echo "Repo ${ARTIFACTORY_REPO} is not a Docker repo."; exit 1; } | ||
| echo "${REPO_INFO}" | tr -d '\n' | grep -Eq '"rclass"[[:space:]]*:[[:space:]]*"(local|virtual|federated)"' || \ | ||
| { echo "Repo ${ARTIFACTORY_REPO} must be local or virtual or federated."; exit 1; } | ||
| skopeo login --authfile /tmp/artifactory-auth.json \ | ||
| --username "${ARTIFACTORY_USERNAME}" \ | ||
| --password "${AUTH_PASSWORD}" \ | ||
| "${ARTIFACTORY_REGISTRY}" | ||
|
|
||
| - name: Copy Metabase image from Docker Hub | ||
| run: | | ||
| set -euo pipefail | ||
| echo "Pushing Metabase image" | ||
| skopeo copy --src-tls-verify=true --dest-tls-verify=true \ | ||
| --dest-authfile /tmp/artifactory-auth.json \ | ||
| "docker://metabase/metabase:${METABASE_IMAGE_TAG}" \ | ||
| "docker://${ARTIFACTORY_REGISTRY}/${ARTIFACTORY_REPO}/cthub/prod/metabase/metabase:${METABASE_IMAGE_TAG}" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 20 days ago
In general, the fix is to add an explicit permissions block that limits the GITHUB_TOKEN to the least privileges required. Since this workflow only interacts with Artifactory and Docker Hub using secrets and does not modify the repository, it does not need any write-level GitHub permissions and probably does not even need read access beyond the default minimal scopes. A conservative and clear configuration is to set contents: read at the top level of the workflow, which will apply to the single job.
Concretely, in .github/workflows/push-dependencies-to-artifactory.yaml, add a permissions section near the top of the file (for example, after name: and before on:). Set it to contents: read, which is a common minimal baseline allowing the workflow to read repository contents if ever needed, while avoiding write permissions. No other code, steps, imports, or secrets handling need to change, and existing functionality will stay the same except for reduced token capabilities.
| @@ -1,5 +1,8 @@ | ||
| name: Push Dependent Images to Artifactory | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
|
|
6 participants
No description provided.