centralcloud/oncall-engine
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: update gh workflows with zizmor suggested fixes (#5523)

Browse source 
This pull request updates multiple GitHub Actions workflows to improve
security, stability, and functionality. The most notable changes include
pinning action versions to specific commit SHAs, adding validation for
branch names, and updating dependencies and configurations.

### Security Improvements:
* Added `persist-credentials: false` to `actions/checkout` steps in
`.github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml`
and `.github/workflows/e2e-tests.yml` to reduce the risk of unauthorized
access to credentials.
[[1]](diffhunk://#diff-f87667d48e22abfbbccf3695a8acc386143e3542286f432e6e3d8330960c76f9R29)
[[2]](diffhunk://#diff-194218c48b9a0cdd03974145733804c2d992ca818529fe2fa69a501d8b5b1cc3R48-R59)
* Validated branch names against a safe pattern in
`.github/workflows/linting-and-tests.yml` to prevent potential misuse of
branch names in subsequent steps.

### Stability Enhancements:
* Pinned all third-party GitHub Actions to specific commit SHAs across
various workflows to ensure consistent and predictable behavior.
Examples include
`grafana/shared-workflows/actions/build-push-to-dockerhub`,
`catchpoint/workflow-telemetry-action`, and
`actions-ecosystem/action-remove-labels`.
[[1]](diffhunk://#diff-f87667d48e22abfbbccf3695a8acc386143e3542286f432e6e3d8330960c76f9L37-R38)
[[2]](diffhunk://#diff-194218c48b9a0cdd03974145733804c2d992ca818529fe2fa69a501d8b5b1cc3R48-R59)
[[3]](diffhunk://#diff-f93a3de9563193d65121683e6383741ac4b6aa18bdb51ba82b80497e700561cdL15-R15)
* Updated Helm-related actions in
`.github/workflows/linting-and-tests.yml` and
`.github/workflows/on-release-published.yml` to specific SHAs for better
reliability.
[[1]](diffhunk://#diff-a70d3d29c45894eeef2036c533385dbc424f9479590aaea01e62c06dc67079a1L147-R170)
[[2]](diffhunk://#diff-e95a5d3f03a1351728732657b6b150cfbbd9a9724b387226b1f99f079b1954b0L91-R91)

### Functional Updates:
* Enhanced `.github/workflows/linting-and-tests.yml` by using validated
branch references in Git commands to avoid errors caused by unsafe
branch names.
* Updated `snyk/actions/setup` in
`.github/workflows/snyk-security-scan.yml` to a specific SHA for
improved compatibility and security.

These changes collectively enhance the security, reliability, and
maintainability of the workflows.
This commit is contained in:
Matthew Thorning 2025-05-01 13:56:34 +01:00 committed by GitHub
parent dcae98b02a
commit a991fac43e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 52 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml vendored
View file

@ -26,6 +26,7 @@ jobs:
# we have one large .whl file which is referenced in the engine Dockerfile.. we need to
# fetch that file to be able to properly build the image
lfs: true
persist-credentials: false
- name: Set engine version number in settings file
if: inputs.engine_version
uses: ./.github/actions/set-engine-version-in-settings
@ -34,7 +35,7 @@ jobs:
engine_version_number: ${{ inputs.engine_version }}
settings_file_path: engine/settings/base.py
- name: Build engine Docker image and push to Dockerhub
uses: grafana/shared-workflows/actions/build-push-to-dockerhub@main
uses: grafana/shared-workflows/actions/build-push-to-dockerhub@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0
with:
context: engine/
push: true

8
.github/workflows/e2e-tests.yml vendored
View file

@ -45,16 +45,18 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Collect Workflow Telemetry
uses: catchpoint/workflow-telemetry-action@v2
uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 #v2.0.0
with:
comment_on_pr: false
proc_trace_chart_show: false
proc_trace_table_show: false
- name: Install Kind
uses: helm/kind-action@v1.10.0
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde #v1.10.0
with:
config: ./dev/kind.yml
install_only: true
@ -121,7 +123,7 @@ jobs:
- name: Get Vault secrets
if: inputs.run-expensive-tests
id: get-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
uses: grafana/shared-workflows/actions/get-vault-secrets@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0
with:
repo_secrets: |
GH_APP_ID=github-app:app-id

33
.github/workflows/linting-and-tests.yml vendored
View file

@ -23,7 +23,7 @@ jobs:
install-dependencies: "false"
- name: Install frontend dependencies
uses: ./.github/actions/install-frontend-dependencies
- uses: pre-commit/action@v3.0.1
- uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd #v3.0.1
lint-test-and-build-frontend:
name: "Lint, test, and build frontend"
@ -101,14 +101,37 @@ jobs:
# Checkout the head commit of the PR
ref: ${{ github.event.pull_request.head.sha }}
- name: Extract and validate base ref
id: extract_base_ref
shell: bash
env:
BASE_REF: ${{ github.event.pull_request.base.ref }}
run: |
# Validate against safe pattern (alphanumeric, underscore, dash, dot, and forward slash only)
if [[ ! "${BASE_REF}" =~ ^[a-zA-Z0-9_/.-]+$ ]]; then
echo "Invalid branch name pattern detected"
exit 1
fi
# Store validated ref for later steps
echo "base_ref=${BASE_REF}" >> $GITHUB_OUTPUT
- name: Fetch base branch
run: git fetch origin ${{ github.event.pull_request.base.ref }}:${{ github.event.pull_request.base.ref }}
shell: bash
run: |
# Use validated ref
SAFE_REF="${{ steps.extract_base_ref.outputs.base_ref }}"
git fetch origin "${SAFE_REF}:refs/remotes/origin/${SAFE_REF}"
- name: Check for RemoveField in Migrations
# yamllint disable rule:line-length
shell: bash
run: |
# Get the list of files changed in the PR
git diff --name-only ${{ github.event.pull_request.base.ref }}...${{ github.event.pull_request.head.sha }} > changed_files.txt
# Use validated ref
SAFE_REF="${{ steps.extract_base_ref.outputs.base_ref }}"
HEAD_SHA="${{ github.event.pull_request.head.sha }}"
# Get the list of files changed in the PR using validated refs
git diff --name-only "refs/remotes/origin/${SAFE_REF}...${HEAD_SHA}" > changed_files.txt
# Filter for migration files
grep -E '^.*/migrations/.*\.py$' changed_files.txt > migration_files.txt || true
@ -144,7 +167,7 @@ jobs:
steps:
- name: Checkout project
uses: actions/checkout@v4
- uses: azure/setup-helm@v4.2.0
- uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 #v4.2.0
with:
version: v3.8.0
- name: Install helm unittest plugin

2
.github/workflows/on-issue-closed.yml vendored
View file

@ -12,6 +12,6 @@ jobs:
steps:
- uses: actions/checkout@v2
- name: Remove "needs triage" label
uses: actions-ecosystem/action-remove-labels@v1.3.0
uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 #v1.3.0
with:
labels: needs triage

10
.github/workflows/on-issue-creation.yml vendored
View file

@ -16,7 +16,7 @@ jobs:
- uses: actions/checkout@v2
- name: Get latest version tag
id: get-latest-tag
uses: actions-ecosystem/action-get-latest-tag@v1
uses: actions-ecosystem/action-get-latest-tag@b7c32daec3395a9616f88548363a42652b22d435 #v1.6.0
with:
semver_only: true
- name: Add latest version comment
@ -37,7 +37,7 @@ jobs:
steps:
- uses: actions/checkout@v2
- name: Add "needs triage" label
uses: actions-ecosystem/action-add-labels@v1
uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf #v1.1.3
with:
labels: needs triage
@ -54,14 +54,14 @@ jobs:
steps:
- uses: actions/checkout@v2
- id: issue-form-values
uses: stefanbuck/github-issue-parser@v3
uses: stefanbuck/github-issue-parser@2ea9b35a8c584529ed00891a8f7e41dc46d0441e #v3.2.1
- run: echo $JSON_STRING
env:
JSON_STRING: ${{ steps.issue-form-values.outputs.jsonString }}
- name: Map mobile app product area to appropriate assignees
uses: actions-ecosystem/action-add-assignees@v1
uses: actions-ecosystem/action-add-assignees@ce5019e63cc4f35aba27308dc88d19c8f3686747 #v1.0.0
if: contains(steps.issue-form-values.outputs.issueparser_product_area, 'Mobile App')
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
@ -70,7 +70,7 @@ jobs:
dieterbe
- name: Map selected product area(s) to issue labels
uses: actions-ecosystem/action-add-labels@v1
uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf #v1.1.3
# github actions have a weird ternary operator, see below for more details
# https://docs.github.com/en/actions/learn-github-actions/expressions#literals:~:text=GitHub%20offers%20ternary%20operator%20like%20behaviour%20that%20you%20can%20use%20in%20expressions
with:

12
.github/workflows/on-release-published.yml vendored
View file

@ -27,7 +27,7 @@ jobs:
uses: ./.github/actions/install-frontend-dependencies
# This will fetch the secret keys from vault and set them as environment variables for subsequent steps
- name: Get Vault secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
uses: grafana/shared-workflows/actions/get-vault-secrets@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0
with:
repo_secrets: |
GRAFANA_ACCESS_POLICY_TOKEN=grafana_cloud_access_policy_token:value
@ -38,11 +38,11 @@ jobs:
with:
plugin_version_number: ${{ github.ref_name }}
- name: Authenticate with GCS
uses: google-github-actions/auth@v2
uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f #v2.1.7
with:
credentials_json: ${{ env.GCS_PLUGIN_PUBLISHER_SERVICE_ACCOUNT_JSON }}
- name: Publish plugin artifact to GCS
uses: google-github-actions/upload-cloud-storage@v2
uses: google-github-actions/upload-cloud-storage@386ab77f37fdf51c0e38b3d229fad286861cc0d0 #v2.2.1
with:
path: grafana-plugin/${{ steps.build-sign-and-package-plugin.outputs.artifact_filename }}
destination: grafana-oncall-app/releases
@ -88,7 +88,7 @@ jobs:
echo version="${GITHUB_REF_NAME:1}" >> $GITHUB_OUTPUT
- name: Update oncall Helm chart Chart.yaml
id: update-helm-chart-pr
uses: fjogeleit/yaml-update-action@v0.12.3
uses: fjogeleit/yaml-update-action@d98ee6a10a971effea75480e3f315e4dacc89a23 #v0.12.3
with:
valueFile: helm/oncall/Chart.yaml
branch: helm-release/${{ steps.prepare-version-tags.outputs.version }}
@ -120,7 +120,7 @@ jobs:
contents: read
steps:
- name: Get Vault secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
uses: grafana/shared-workflows/actions/get-vault-secrets@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0
with:
repo_secrets: |
GH_APP_ID=github-app:app-id
@ -134,7 +134,7 @@ jobs:
private-key: ${{ env.GH_APP_PRIVATE_KEY }}
- name: Merge pull Request
uses: juliangruber/merge-pull-request-action@v1
uses: juliangruber/merge-pull-request-action@d4773803fdc1d1fd46801ab0c56c135df9075de8 #v1.1.1
with:
github-token: ${{ steps.generate-token.outputs.token }}
number: ${{ needs.create-helm-release-pr.outputs.helm_release_pr_number }}

2
.github/workflows/publish-technical-documentation-next.yml vendored
View file

@ -16,6 +16,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1
- uses: grafana/writers-toolkit/publish-technical-documentation@39cdc38767184996e25d611923f8ce697e33bc70 #publish-technical-documentation/v1.2.0
with:
website_directory: content/docs/oncall/next

2
.github/workflows/publish-technical-documentation-release.yml vendored
View file

@ -20,7 +20,7 @@ jobs:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v2
- uses: grafana/writers-toolkit/publish-technical-documentation-release@8cc658b604c6e05c275af30163a1c7728dfe19b2 #publish-technical-documentation-release/v2.2.4
with:
release_tag_regexp: "^v(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$"
release_branch_regexp: "^release-(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$"

4
.github/workflows/snyk-security-scan.yml vendored
View file

@ -24,12 +24,12 @@ jobs:
- name: Install frontend dependencies
uses: ./.github/actions/install-frontend-dependencies
- name: Get Vault secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
uses: grafana/shared-workflows/actions/get-vault-secrets@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0
with:
common_secrets: |
SNYK_TOKEN=snyk_scan_github_action:token
- name: Install Snyk
uses: snyk/actions/setup@master
uses: snyk/actions/setup@b98d498629f1c368650224d6d212bf7dfa89e4bf #v0.4.0
# NOTE: on the snyk monitor and snyk test commands, we are excluding the dev and tools directories
# because we can't install the requirements.txt files of these directories alongside the main engine
# requirements.txt (some conflicting dep versions). If we realllly wanted to test these, we should do it

2
.github/workflows/update-make-docs.yml vendored
View file

@ -10,6 +10,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: grafana/writers-toolkit/update-make-docs@update-make-docs/v1
- uses: grafana/writers-toolkit/update-make-docs@f65819d6a412b752c0e0263375215f049507b0e6 #update-make-docs/v1.3.0
with:
pr_options: --label "release:ignore"