Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
107 changes: 107 additions & 0 deletions .github/workflows/build-wavefront-celery_worker-develop.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
name: (Develop) Build and Push Wavefront Celery Worker app to AWS, GCP and Azure

on:
workflow_dispatch:

env:
Comment on lines +3 to +6

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Set minimal GITHUB_TOKEN permissions.

The workflow only needs repository read access for checkout, so add an explicit top-level permission block.

Suggested permission block
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
on:
workflow_dispatch:
env:
on:
workflow_dispatch:
permissions:
contents: read
env:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-wavefront-celery_worker-develop.yaml around lines 3
- 6, The workflow currently relies on default token scopes, but it only needs
read access for checkout. Add an explicit top-level permissions block to the
workflow and set the GITHUB_TOKEN scope to the minimum required, locating the
change near the workflow_dispatch and env section in the workflow file.

Source: Linters/SAST tools

PROJECT_ID: aesy-330511
GCP_REGION: asia-south1
GAR_LOCATION: asia-south1-docker.pkg.dev/aesy-330511/root-hub
IMAGE_NAME: wavefront-celery_worker

AWS_REGION: ap-south-1
ECR_REGISTRY: 025066241490.dkr.ecr.ap-south-1.amazonaws.com
ECR_REPOSITORY: rootflo/wavefront-celery_worker

ACR_REGISTRY_NAME: rootflo
ACR_REGISTRY: rootflo.azurecr.io
ACR_REPOSITORY: wavefront-celery_worker

jobs:
build-push-artifact:
runs-on: ubuntu-latest
Comment on lines +20 to +22

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Gate this develop publish job to the develop ref.

This workflow is named/scoped as a develop build, but a manual dispatch can otherwise publish an image from a non-develop ref into the same registries.

Suggested guard
 jobs:
   build-push-artifact:
+    if: github.ref == 'refs/heads/develop'
     runs-on: ubuntu-latest
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
jobs:
build-push-artifact:
runs-on: ubuntu-latest
jobs:
build-push-artifact:
if: github.ref == 'refs/heads/develop'
runs-on: ubuntu-latest
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-wavefront-celery_worker-develop.yaml around lines 20
- 22, The build-push-artifact job in the develop workflow is not restricted to
the develop branch, so a manual dispatch can publish from the wrong ref. Add an
appropriate ref guard to this job or workflow so it only runs when the current
ref is develop, using the existing build-push-artifact job name and the
workflow’s ref-based condition to gate publishing.


steps:
- name: "Checkout"
uses: "actions/checkout@v3"
Comment on lines +25 to +26

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
workflow="$(fd -p 'build-wavefront-celery_worker-develop.yaml' .github/workflows | head -n1)"
rg -n 'actions/checkout@v3|google-github-actions/(auth|setup-gcloud)`@v1`|persist-credentials' "$workflow"
if command -v actionlint >/dev/null; then actionlint "$workflow"; fi

Repository: rootflo/wavefront

Length of output: 2311


🏁 Script executed:

#!/bin/bash
set -euo pipefail

workflow=".github/workflows/build-wavefront-celery_worker-develop.yaml"

echo '--- file outline ---'
ast-grep outline "$workflow" --view expanded || true

echo '--- relevant lines ---'
nl -ba "$workflow" | sed -n '1,140p'

echo '--- checkout/auth/gcloud/cache references ---'
rg -n 'checkout|auth@|setup-gcloud|cache@|persist-credentials|push|git ' "$workflow"

Repository: rootflo/wavefront

Length of output: 315


🏁 Script executed:

#!/bin/bash
set -euo pipefail

workflow=".github/workflows/build-wavefront-celery_worker-develop.yaml"

echo '--- numbered file slice ---'
awk 'NR>=1 && NR<=140 {printf "%4d  %s\n", NR, $0}' "$workflow"

echo '--- git/push-related commands ---'
rg -n 'git (push|tag|commit)|push:|persist-credentials|checkout|docker push|gcloud|auth@|setup-gcloud' "$workflow"

Repository: rootflo/wavefront

Length of output: 5382


Upgrade the workflow actions and disable checkout credentials

  • Bump actions/checkout@v3, actions/cache@v3, google-github-actions/auth@v1, and google-github-actions/setup-gcloud@v1; these majors are already flagged as unsupported.
  • Add persist-credentials: false to checkout: this job only reads the commit hash and pushes Docker images, so repo credentials aren’t used.
🧰 Tools
🪛 actionlint (1.7.12)

[error] 26-26: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 zizmor (1.26.1)

[warning] 25-26: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-wavefront-celery_worker-develop.yaml around lines 25
- 26, Update the workflow job to use supported major versions for the existing
GitHub Actions in the build-wavefront-celery_worker-develop workflow, including
actions/checkout, actions/cache, google-github-actions/auth, and
google-github-actions/setup-gcloud. In the Checkout step, set
persist-credentials to false since this job only needs to read the commit hash
and does not use repository credentials; keep the change localized to the
checkout and related action version declarations in this workflow.

Source: Linters/SAST tools


- name: Get commit hash
id: get-commit-hash
run: echo "::set-output name=commit-hash::$(git rev-parse --short HEAD)"

- name: Get timestamp
id: get-timestamp
run: echo "::set-output name=timestamp::$(date +'%Y-%m-%d-%H-%M')"
Comment on lines +28 to +34

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
workflow="$(fd -p 'build-wavefront-celery_worker-develop.yaml' .github/workflows | head -n1)"
rg -n '::set-output|GITHUB_OUTPUT' "$workflow"
if command -v actionlint >/dev/null; then actionlint "$workflow"; fi

Repository: rootflo/wavefront

Length of output: 2328


🏁 Script executed:

#!/bin/bash
set -euo pipefail
file=".github/workflows/build-wavefront-celery_worker-develop.yaml"
cat -n "$file" | sed -n '1,120p'

Repository: rootflo/wavefront

Length of output: 4910


Replace deprecated set-output commands with $GITHUB_OUTPUT. Use the environment file for both commit-hash and timestamp so steps.*.outputs.* stays supported.

🧰 Tools
🪛 actionlint (1.7.12)

[error] 30-30: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)


[error] 34-34: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-wavefront-celery_worker-develop.yaml around lines 28
- 34, The GitHub Actions steps in the workflow still use the deprecated
set-output command, so update the Get commit hash and Get timestamp steps to
write commit-hash and timestamp to the $GITHUB_OUTPUT environment file instead.
Keep the same step ids (get-commit-hash and get-timestamp) and preserve the
existing outputs so any later steps referencing steps.*.outputs.* continue to
work.

Source: Linters/SAST tools


- name: Cache Docker layers
id: cache-docker-layers
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-docker-${{ github.sha }}
restore-keys: |
${{ runner.os }}-docker-

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Build Docker Image
id: build-image
run: |
docker build -f wavefront/server/docker/celery_worker.Dockerfile -t rootflo:${{ steps.get-commit-hash.outputs.commit-hash }}-${{ steps.get-timestamp.outputs.timestamp }} .
echo "IMAGE_TAG=${{ steps.get-commit-hash.outputs.commit-hash }}-${{ steps.get-timestamp.outputs.timestamp }}" >> $GITHUB_ENV

- id: "Auth-to-GCP"
uses: "google-github-actions/auth@v1"
with:
credentials_json: "${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}"

- name: "Set up Cloud SDK"
uses: "google-github-actions/setup-gcloud@v1"

- name: "Docker auth for GCP"
run: |-
gcloud auth configure-docker ${{ env.GCP_REGION }}-docker.pkg.dev --quiet

- name: Tag and push image to GCP Artifact Registry
run: |
docker tag rootflo:${{ env.IMAGE_TAG }} ${{ env.GAR_LOCATION }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
docker push ${{ env.GAR_LOCATION }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}

# Configure AWS credentials and push to ECR
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}

- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1

- name: Tag and push image to Amazon ECR
run: |
docker tag rootflo:${{ env.IMAGE_TAG }} ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}
docker push ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}

# Configure Azure credentials and push to ACR
- name: Login to Azure
uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}

- name: Docker auth for Azure ACR
run: az acr login --name ${{ env.ACR_REGISTRY_NAME }}

- name: Tag and push image to Azure Container Registry
run: |
docker tag rootflo:${{ env.IMAGE_TAG }} ${{ env.ACR_REGISTRY }}/${{ env.ACR_REPOSITORY }}:${{ env.IMAGE_TAG }}
docker push ${{ env.ACR_REGISTRY }}/${{ env.ACR_REPOSITORY }}:${{ env.IMAGE_TAG }}

- name: Cleanup Docker images
run: |
docker rmi rootflo:${{ env.IMAGE_TAG }} || true
docker rmi ${{ env.GAR_LOCATION }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} || true
docker rmi ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }} || true
docker rmi ${{ env.ACR_REGISTRY }}/${{ env.ACR_REPOSITORY }}:${{ env.IMAGE_TAG }} || true

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
Comment on lines +22 to +107
Loading