From a991fac43e63e250565d2fe2af7897cbbbc435f6 Mon Sep 17 00:00:00 2001 From: Matthew Thorning Date: Thu, 1 May 2025 13:56:34 +0100 Subject: [PATCH] chore: update gh workflows with zizmor suggested fixes (#5523) This pull request updates multiple GitHub Actions workflows to improve security, stability, and functionality. The most notable changes include pinning action versions to specific commit SHAs, adding validation for branch names, and updating dependencies and configurations. ### Security Improvements: * Added `persist-credentials: false` to `actions/checkout` steps in `.github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml` and `.github/workflows/e2e-tests.yml` to reduce the risk of unauthorized access to credentials. [[1]](diffhunk://#diff-f87667d48e22abfbbccf3695a8acc386143e3542286f432e6e3d8330960c76f9R29) [[2]](diffhunk://#diff-194218c48b9a0cdd03974145733804c2d992ca818529fe2fa69a501d8b5b1cc3R48-R59) * Validated branch names against a safe pattern in `.github/workflows/linting-and-tests.yml` to prevent potential misuse of branch names in subsequent steps. ### Stability Enhancements: * Pinned all third-party GitHub Actions to specific commit SHAs across various workflows to ensure consistent and predictable behavior. Examples include `grafana/shared-workflows/actions/build-push-to-dockerhub`, `catchpoint/workflow-telemetry-action`, and `actions-ecosystem/action-remove-labels`. [[1]](diffhunk://#diff-f87667d48e22abfbbccf3695a8acc386143e3542286f432e6e3d8330960c76f9L37-R38) [[2]](diffhunk://#diff-194218c48b9a0cdd03974145733804c2d992ca818529fe2fa69a501d8b5b1cc3R48-R59) [[3]](diffhunk://#diff-f93a3de9563193d65121683e6383741ac4b6aa18bdb51ba82b80497e700561cdL15-R15) * Updated Helm-related actions in `.github/workflows/linting-and-tests.yml` and `.github/workflows/on-release-published.yml` to specific SHAs for better reliability. [[1]](diffhunk://#diff-a70d3d29c45894eeef2036c533385dbc424f9479590aaea01e62c06dc67079a1L147-R170) [[2]](diffhunk://#diff-e95a5d3f03a1351728732657b6b150cfbbd9a9724b387226b1f99f079b1954b0L91-R91) ### Functional Updates: * Enhanced `.github/workflows/linting-and-tests.yml` by using validated branch references in Git commands to avoid errors caused by unsafe branch names. * Updated `snyk/actions/setup` in `.github/workflows/snyk-security-scan.yml` to a specific SHA for improved compatibility and security. These changes collectively enhance the security, reliability, and maintainability of the workflows. --- ...-docker-image-and-publish-to-dockerhub.yml | 3 +- .github/workflows/e2e-tests.yml | 8 +++-- .github/workflows/linting-and-tests.yml | 33 ++++++++++++++++--- .github/workflows/on-issue-closed.yml | 2 +- .github/workflows/on-issue-creation.yml | 10 +++--- .github/workflows/on-release-published.yml | 12 +++---- .../publish-technical-documentation-next.yml | 2 +- ...ublish-technical-documentation-release.yml | 2 +- .github/workflows/snyk-security-scan.yml | 4 +-- .github/workflows/update-make-docs.yml | 2 +- 10 files changed, 52 insertions(+), 26 deletions(-) diff --git a/.github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml b/.github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml index f5186222..a3b3d521 100644 --- a/.github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml +++ b/.github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml @@ -26,6 +26,7 @@ jobs: # we have one large .whl file which is referenced in the engine Dockerfile.. we need to # fetch that file to be able to properly build the image lfs: true + persist-credentials: false - name: Set engine version number in settings file if: inputs.engine_version uses: ./.github/actions/set-engine-version-in-settings @@ -34,7 +35,7 @@ jobs: engine_version_number: ${{ inputs.engine_version }} settings_file_path: engine/settings/base.py - name: Build engine Docker image and push to Dockerhub - uses: grafana/shared-workflows/actions/build-push-to-dockerhub@main + uses: grafana/shared-workflows/actions/build-push-to-dockerhub@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0 with: context: engine/ push: true diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 417a4d33..988b46a2 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -45,16 +45,18 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@v2 + uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 #v2.0.0 with: comment_on_pr: false proc_trace_chart_show: false proc_trace_table_show: false - name: Install Kind - uses: helm/kind-action@v1.10.0 + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde #v1.10.0 with: config: ./dev/kind.yml install_only: true @@ -121,7 +123,7 @@ jobs: - name: Get Vault secrets if: inputs.run-expensive-tests id: get-secrets - uses: grafana/shared-workflows/actions/get-vault-secrets@main + uses: grafana/shared-workflows/actions/get-vault-secrets@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0 with: repo_secrets: | GH_APP_ID=github-app:app-id diff --git a/.github/workflows/linting-and-tests.yml b/.github/workflows/linting-and-tests.yml index 93fadd73..c938066b 100644 --- a/.github/workflows/linting-and-tests.yml +++ b/.github/workflows/linting-and-tests.yml @@ -23,7 +23,7 @@ jobs: install-dependencies: "false" - name: Install frontend dependencies uses: ./.github/actions/install-frontend-dependencies - - uses: pre-commit/action@v3.0.1 + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd #v3.0.1 lint-test-and-build-frontend: name: "Lint, test, and build frontend" @@ -101,14 +101,37 @@ jobs: # Checkout the head commit of the PR ref: ${{ github.event.pull_request.head.sha }} + - name: Extract and validate base ref + id: extract_base_ref + shell: bash + env: + BASE_REF: ${{ github.event.pull_request.base.ref }} + run: | + # Validate against safe pattern (alphanumeric, underscore, dash, dot, and forward slash only) + if [[ ! "${BASE_REF}" =~ ^[a-zA-Z0-9_/.-]+$ ]]; then + echo "Invalid branch name pattern detected" + exit 1 + fi + # Store validated ref for later steps + echo "base_ref=${BASE_REF}" >> $GITHUB_OUTPUT + - name: Fetch base branch - run: git fetch origin ${{ github.event.pull_request.base.ref }}:${{ github.event.pull_request.base.ref }} + shell: bash + run: | + # Use validated ref + SAFE_REF="${{ steps.extract_base_ref.outputs.base_ref }}" + git fetch origin "${SAFE_REF}:refs/remotes/origin/${SAFE_REF}" - name: Check for RemoveField in Migrations # yamllint disable rule:line-length + shell: bash run: | - # Get the list of files changed in the PR - git diff --name-only ${{ github.event.pull_request.base.ref }}...${{ github.event.pull_request.head.sha }} > changed_files.txt + # Use validated ref + SAFE_REF="${{ steps.extract_base_ref.outputs.base_ref }}" + HEAD_SHA="${{ github.event.pull_request.head.sha }}" + + # Get the list of files changed in the PR using validated refs + git diff --name-only "refs/remotes/origin/${SAFE_REF}...${HEAD_SHA}" > changed_files.txt # Filter for migration files grep -E '^.*/migrations/.*\.py$' changed_files.txt > migration_files.txt || true @@ -144,7 +167,7 @@ jobs: steps: - name: Checkout project uses: actions/checkout@v4 - - uses: azure/setup-helm@v4.2.0 + - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 #v4.2.0 with: version: v3.8.0 - name: Install helm unittest plugin diff --git a/.github/workflows/on-issue-closed.yml b/.github/workflows/on-issue-closed.yml index 8763b93c..afda00f7 100644 --- a/.github/workflows/on-issue-closed.yml +++ b/.github/workflows/on-issue-closed.yml @@ -12,6 +12,6 @@ jobs: steps: - uses: actions/checkout@v2 - name: Remove "needs triage" label - uses: actions-ecosystem/action-remove-labels@v1.3.0 + uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 #v1.3.0 with: labels: needs triage diff --git a/.github/workflows/on-issue-creation.yml b/.github/workflows/on-issue-creation.yml index 23307322..85ebeb54 100644 --- a/.github/workflows/on-issue-creation.yml +++ b/.github/workflows/on-issue-creation.yml @@ -16,7 +16,7 @@ jobs: - uses: actions/checkout@v2 - name: Get latest version tag id: get-latest-tag - uses: actions-ecosystem/action-get-latest-tag@v1 + uses: actions-ecosystem/action-get-latest-tag@b7c32daec3395a9616f88548363a42652b22d435 #v1.6.0 with: semver_only: true - name: Add latest version comment @@ -37,7 +37,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Add "needs triage" label - uses: actions-ecosystem/action-add-labels@v1 + uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf #v1.1.3 with: labels: needs triage @@ -54,14 +54,14 @@ jobs: steps: - uses: actions/checkout@v2 - id: issue-form-values - uses: stefanbuck/github-issue-parser@v3 + uses: stefanbuck/github-issue-parser@2ea9b35a8c584529ed00891a8f7e41dc46d0441e #v3.2.1 - run: echo $JSON_STRING env: JSON_STRING: ${{ steps.issue-form-values.outputs.jsonString }} - name: Map mobile app product area to appropriate assignees - uses: actions-ecosystem/action-add-assignees@v1 + uses: actions-ecosystem/action-add-assignees@ce5019e63cc4f35aba27308dc88d19c8f3686747 #v1.0.0 if: contains(steps.issue-form-values.outputs.issueparser_product_area, 'Mobile App') with: github_token: ${{ secrets.GITHUB_TOKEN }} @@ -70,7 +70,7 @@ jobs: dieterbe - name: Map selected product area(s) to issue labels - uses: actions-ecosystem/action-add-labels@v1 + uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf #v1.1.3 # github actions have a weird ternary operator, see below for more details # https://docs.github.com/en/actions/learn-github-actions/expressions#literals:~:text=GitHub%20offers%20ternary%20operator%20like%20behaviour%20that%20you%20can%20use%20in%20expressions with: diff --git a/.github/workflows/on-release-published.yml b/.github/workflows/on-release-published.yml index b438a56e..fffe9af6 100644 --- a/.github/workflows/on-release-published.yml +++ b/.github/workflows/on-release-published.yml @@ -27,7 +27,7 @@ jobs: uses: ./.github/actions/install-frontend-dependencies # This will fetch the secret keys from vault and set them as environment variables for subsequent steps - name: Get Vault secrets - uses: grafana/shared-workflows/actions/get-vault-secrets@main + uses: grafana/shared-workflows/actions/get-vault-secrets@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0 with: repo_secrets: | GRAFANA_ACCESS_POLICY_TOKEN=grafana_cloud_access_policy_token:value @@ -38,11 +38,11 @@ jobs: with: plugin_version_number: ${{ github.ref_name }} - name: Authenticate with GCS - uses: google-github-actions/auth@v2 + uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f #v2.1.7 with: credentials_json: ${{ env.GCS_PLUGIN_PUBLISHER_SERVICE_ACCOUNT_JSON }} - name: Publish plugin artifact to GCS - uses: google-github-actions/upload-cloud-storage@v2 + uses: google-github-actions/upload-cloud-storage@386ab77f37fdf51c0e38b3d229fad286861cc0d0 #v2.2.1 with: path: grafana-plugin/${{ steps.build-sign-and-package-plugin.outputs.artifact_filename }} destination: grafana-oncall-app/releases @@ -88,7 +88,7 @@ jobs: echo version="${GITHUB_REF_NAME:1}" >> $GITHUB_OUTPUT - name: Update oncall Helm chart Chart.yaml id: update-helm-chart-pr - uses: fjogeleit/yaml-update-action@v0.12.3 + uses: fjogeleit/yaml-update-action@d98ee6a10a971effea75480e3f315e4dacc89a23 #v0.12.3 with: valueFile: helm/oncall/Chart.yaml branch: helm-release/${{ steps.prepare-version-tags.outputs.version }} @@ -120,7 +120,7 @@ jobs: contents: read steps: - name: Get Vault secrets - uses: grafana/shared-workflows/actions/get-vault-secrets@main + uses: grafana/shared-workflows/actions/get-vault-secrets@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0 with: repo_secrets: | GH_APP_ID=github-app:app-id @@ -134,7 +134,7 @@ jobs: private-key: ${{ env.GH_APP_PRIVATE_KEY }} - name: Merge pull Request - uses: juliangruber/merge-pull-request-action@v1 + uses: juliangruber/merge-pull-request-action@d4773803fdc1d1fd46801ab0c56c135df9075de8 #v1.1.1 with: github-token: ${{ steps.generate-token.outputs.token }} number: ${{ needs.create-helm-release-pr.outputs.helm_release_pr_number }} diff --git a/.github/workflows/publish-technical-documentation-next.yml b/.github/workflows/publish-technical-documentation-next.yml index 53a5b7a7..919614e5 100644 --- a/.github/workflows/publish-technical-documentation-next.yml +++ b/.github/workflows/publish-technical-documentation-next.yml @@ -16,6 +16,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1 + - uses: grafana/writers-toolkit/publish-technical-documentation@39cdc38767184996e25d611923f8ce697e33bc70 #publish-technical-documentation/v1.2.0 with: website_directory: content/docs/oncall/next diff --git a/.github/workflows/publish-technical-documentation-release.yml b/.github/workflows/publish-technical-documentation-release.yml index e91b642a..e5100aac 100644 --- a/.github/workflows/publish-technical-documentation-release.yml +++ b/.github/workflows/publish-technical-documentation-release.yml @@ -20,7 +20,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v2 + - uses: grafana/writers-toolkit/publish-technical-documentation-release@8cc658b604c6e05c275af30163a1c7728dfe19b2 #publish-technical-documentation-release/v2.2.4 with: release_tag_regexp: "^v(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$" release_branch_regexp: "^release-(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$" diff --git a/.github/workflows/snyk-security-scan.yml b/.github/workflows/snyk-security-scan.yml index 0ecedc75..be970b65 100644 --- a/.github/workflows/snyk-security-scan.yml +++ b/.github/workflows/snyk-security-scan.yml @@ -24,12 +24,12 @@ jobs: - name: Install frontend dependencies uses: ./.github/actions/install-frontend-dependencies - name: Get Vault secrets - uses: grafana/shared-workflows/actions/get-vault-secrets@main + uses: grafana/shared-workflows/actions/get-vault-secrets@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0 with: common_secrets: | SNYK_TOKEN=snyk_scan_github_action:token - name: Install Snyk - uses: snyk/actions/setup@master + uses: snyk/actions/setup@b98d498629f1c368650224d6d212bf7dfa89e4bf #v0.4.0 # NOTE: on the snyk monitor and snyk test commands, we are excluding the dev and tools directories # because we can't install the requirements.txt files of these directories alongside the main engine # requirements.txt (some conflicting dep versions). If we realllly wanted to test these, we should do it diff --git a/.github/workflows/update-make-docs.yml b/.github/workflows/update-make-docs.yml index bde39d31..849da751 100644 --- a/.github/workflows/update-make-docs.yml +++ b/.github/workflows/update-make-docs.yml @@ -10,6 +10,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: grafana/writers-toolkit/update-make-docs@update-make-docs/v1 + - uses: grafana/writers-toolkit/update-make-docs@f65819d6a412b752c0e0263375215f049507b0e6 #update-make-docs/v1.3.0 with: pr_options: --label "release:ignore"