centralcloud/oncall-engine
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: update gh workflows with zizmor suggested fixes (#5523)

Browse source 
This pull request updates multiple GitHub Actions workflows to improve
security, stability, and functionality. The most notable changes include
pinning action versions to specific commit SHAs, adding validation for
branch names, and updating dependencies and configurations.

### Security Improvements:
* Added `persist-credentials: false` to `actions/checkout` steps in
`.github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml`
and `.github/workflows/e2e-tests.yml` to reduce the risk of unauthorized
access to credentials.
[[1]](diffhunk://#diff-f87667d48e22abfbbccf3695a8acc386143e3542286f432e6e3d8330960c76f9R29)
[[2]](diffhunk://#diff-194218c48b9a0cdd03974145733804c2d992ca818529fe2fa69a501d8b5b1cc3R48-R59)
* Validated branch names against a safe pattern in
`.github/workflows/linting-and-tests.yml` to prevent potential misuse of
branch names in subsequent steps.

### Stability Enhancements:
* Pinned all third-party GitHub Actions to specific commit SHAs across
various workflows to ensure consistent and predictable behavior.
Examples include
`grafana/shared-workflows/actions/build-push-to-dockerhub`,
`catchpoint/workflow-telemetry-action`, and
`actions-ecosystem/action-remove-labels`.
[[1]](diffhunk://#diff-f87667d48e22abfbbccf3695a8acc386143e3542286f432e6e3d8330960c76f9L37-R38)
[[2]](diffhunk://#diff-194218c48b9a0cdd03974145733804c2d992ca818529fe2fa69a501d8b5b1cc3R48-R59)
[[3]](diffhunk://#diff-f93a3de9563193d65121683e6383741ac4b6aa18bdb51ba82b80497e700561cdL15-R15)
* Updated Helm-related actions in
`.github/workflows/linting-and-tests.yml` and
`.github/workflows/on-release-published.yml` to specific SHAs for better
reliability.
[[1]](diffhunk://#diff-a70d3d29c45894eeef2036c533385dbc424f9479590aaea01e62c06dc67079a1L147-R170)
[[2]](diffhunk://#diff-e95a5d3f03a1351728732657b6b150cfbbd9a9724b387226b1f99f079b1954b0L91-R91)

### Functional Updates:
* Enhanced `.github/workflows/linting-and-tests.yml` by using validated
branch references in Git commands to avoid errors caused by unsafe
branch names.
* Updated `snyk/actions/setup` in
`.github/workflows/snyk-security-scan.yml` to a specific SHA for
improved compatibility and security.

These changes collectively enhance the security, reliability, and
maintainability of the workflows.
This commit is contained in:
Matthew Thorning 2025-05-01 13:56:34 +01:00 committed by GitHub
parent dcae98b02a
commit a991fac43e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 52 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml vendored
View file

@ -26,6 +26,7 @@ jobs:
# we have one large .whl file which is referenced in the engine Dockerfile.. we need to # we have one large .whl file which is referenced in the engine Dockerfile.. we need to
# fetch that file to be able to properly build the image # fetch that file to be able to properly build the image
lfs: true lfs: true
persist-credentials: false
- name: Set engine version number in settings file - name: Set engine version number in settings file
if: inputs.engine_version if: inputs.engine_version
uses: ./.github/actions/set-engine-version-in-settings uses: ./.github/actions/set-engine-version-in-settings
@ -34,7 +35,7 @@ jobs:
engine_version_number: ${{ inputs.engine_version }} engine_version_number: ${{ inputs.engine_version }}
settings_file_path: engine/settings/base.py settings_file_path: engine/settings/base.py
- name: Build engine Docker image and push to Dockerhub - name: Build engine Docker image and push to Dockerhub
uses: grafana/shared-workflows/actions/build-push-to-dockerhub@main uses: grafana/shared-workflows/actions/build-push-to-dockerhub@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0
with: with:
context: engine/ context: engine/
push: true push: true

8
.github/workflows/e2e-tests.yml vendored
View file

@ -45,16 +45,18 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@v4
with:
persist-credentials: false
- name: Collect Workflow Telemetry - name: Collect Workflow Telemetry
uses: catchpoint/workflow-telemetry-action@v2 uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 #v2.0.0
with: with:
comment_on_pr: false comment_on_pr: false
proc_trace_chart_show: false proc_trace_chart_show: false
proc_trace_table_show: false proc_trace_table_show: false
- name: Install Kind - name: Install Kind
uses: helm/kind-action@v1.10.0 uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde #v1.10.0
with: with:
config: ./dev/kind.yml config: ./dev/kind.yml
install_only: true install_only: true
@ -121,7 +123,7 @@ jobs:
- name: Get Vault secrets - name: Get Vault secrets
if: inputs.run-expensive-tests if: inputs.run-expensive-tests
id: get-secrets id: get-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main uses: grafana/shared-workflows/actions/get-vault-secrets@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0
with: with:
repo_secrets: | repo_secrets: |
GH_APP_ID=github-app:app-id GH_APP_ID=github-app:app-id

33
.github/workflows/linting-and-tests.yml vendored
View file

@ -23,7 +23,7 @@ jobs:
install-dependencies: "false" install-dependencies: "false"
- name: Install frontend dependencies - name: Install frontend dependencies
uses: ./.github/actions/install-frontend-dependencies uses: ./.github/actions/install-frontend-dependencies
- uses: pre-commit/action@v3.0.1 - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd #v3.0.1
lint-test-and-build-frontend: lint-test-and-build-frontend:
name: "Lint, test, and build frontend" name: "Lint, test, and build frontend"
@ -101,14 +101,37 @@ jobs:
# Checkout the head commit of the PR # Checkout the head commit of the PR
ref: ${{ github.event.pull_request.head.sha }} ref: ${{ github.event.pull_request.head.sha }}
- name: Extract and validate base ref
id: extract_base_ref
shell: bash
env:
BASE_REF: ${{ github.event.pull_request.base.ref }}
run: |
# Validate against safe pattern (alphanumeric, underscore, dash, dot, and forward slash only)
if [[ ! "${BASE_REF}" =~ ^[a-zA-Z0-9_/.-]+$ ]]; then
echo "Invalid branch name pattern detected"
exit 1
fi
# Store validated ref for later steps
echo "base_ref=${BASE_REF}" >> $GITHUB_OUTPUT
- name: Fetch base branch - name: Fetch base branch
run: git fetch origin ${{ github.event.pull_request.base.ref }}:${{ github.event.pull_request.base.ref }} shell: bash
run: |
# Use validated ref
SAFE_REF="${{ steps.extract_base_ref.outputs.base_ref }}"
git fetch origin "${SAFE_REF}:refs/remotes/origin/${SAFE_REF}"
- name: Check for RemoveField in Migrations - name: Check for RemoveField in Migrations
# yamllint disable rule:line-length # yamllint disable rule:line-length
shell: bash
run: | run: |
# Get the list of files changed in the PR # Use validated ref
git diff --name-only ${{ github.event.pull_request.base.ref }}...${{ github.event.pull_request.head.sha }} > changed_files.txt SAFE_REF="${{ steps.extract_base_ref.outputs.base_ref }}"
HEAD_SHA="${{ github.event.pull_request.head.sha }}"
# Get the list of files changed in the PR using validated refs
git diff --name-only "refs/remotes/origin/${SAFE_REF}...${HEAD_SHA}" > changed_files.txt
# Filter for migration files # Filter for migration files
grep -E '^.*/migrations/.*\.py$' changed_files.txt > migration_files.txt || true grep -E '^.*/migrations/.*\.py$' changed_files.txt > migration_files.txt || true
@ -144,7 +167,7 @@ jobs:
steps: steps:
- name: Checkout project - name: Checkout project
uses: actions/checkout@v4 uses: actions/checkout@v4
- uses: azure/setup-helm@v4.2.0 - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 #v4.2.0
with: with:
version: v3.8.0 version: v3.8.0
- name: Install helm unittest plugin - name: Install helm unittest plugin

2
.github/workflows/on-issue-closed.yml vendored
View file

@ -12,6 +12,6 @@ jobs:
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
- name: Remove "needs triage" label - name: Remove "needs triage" label
uses: actions-ecosystem/action-remove-labels@v1.3.0 uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 #v1.3.0
with: with:
labels: needs triage labels: needs triage

10
.github/workflows/on-issue-creation.yml vendored
View file

@ -16,7 +16,7 @@ jobs:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
- name: Get latest version tag - name: Get latest version tag
id: get-latest-tag id: get-latest-tag
uses: actions-ecosystem/action-get-latest-tag@v1 uses: actions-ecosystem/action-get-latest-tag@b7c32daec3395a9616f88548363a42652b22d435 #v1.6.0
with: with:
semver_only: true semver_only: true
- name: Add latest version comment - name: Add latest version comment
@ -37,7 +37,7 @@ jobs:
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
- name: Add "needs triage" label - name: Add "needs triage" label
uses: actions-ecosystem/action-add-labels@v1 uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf #v1.1.3
with: with:
labels: needs triage labels: needs triage
@ -54,14 +54,14 @@ jobs:
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
- id: issue-form-values - id: issue-form-values
uses: stefanbuck/github-issue-parser@v3 uses: stefanbuck/github-issue-parser@2ea9b35a8c584529ed00891a8f7e41dc46d0441e #v3.2.1
- run: echo $JSON_STRING - run: echo $JSON_STRING
env: env:
JSON_STRING: ${{ steps.issue-form-values.outputs.jsonString }} JSON_STRING: ${{ steps.issue-form-values.outputs.jsonString }}
- name: Map mobile app product area to appropriate assignees - name: Map mobile app product area to appropriate assignees
uses: actions-ecosystem/action-add-assignees@v1 uses: actions-ecosystem/action-add-assignees@ce5019e63cc4f35aba27308dc88d19c8f3686747 #v1.0.0
if: contains(steps.issue-form-values.outputs.issueparser_product_area, 'Mobile App') if: contains(steps.issue-form-values.outputs.issueparser_product_area, 'Mobile App')
with: with:
github_token: ${{ secrets.GITHUB_TOKEN }} github_token: ${{ secrets.GITHUB_TOKEN }}
@ -70,7 +70,7 @@ jobs:
dieterbe dieterbe
- name: Map selected product area(s) to issue labels - name: Map selected product area(s) to issue labels
uses: actions-ecosystem/action-add-labels@v1 uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf #v1.1.3
# github actions have a weird ternary operator, see below for more details # github actions have a weird ternary operator, see below for more details
# https://docs.github.com/en/actions/learn-github-actions/expressions#literals:~:text=GitHub%20offers%20ternary%20operator%20like%20behaviour%20that%20you%20can%20use%20in%20expressions # https://docs.github.com/en/actions/learn-github-actions/expressions#literals:~:text=GitHub%20offers%20ternary%20operator%20like%20behaviour%20that%20you%20can%20use%20in%20expressions
with: with:

12
.github/workflows/on-release-published.yml vendored
View file

@ -27,7 +27,7 @@ jobs:
uses: ./.github/actions/install-frontend-dependencies uses: ./.github/actions/install-frontend-dependencies
# This will fetch the secret keys from vault and set them as environment variables for subsequent steps # This will fetch the secret keys from vault and set them as environment variables for subsequent steps
- name: Get Vault secrets - name: Get Vault secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main uses: grafana/shared-workflows/actions/get-vault-secrets@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0
with: with:
repo_secrets: | repo_secrets: |
GRAFANA_ACCESS_POLICY_TOKEN=grafana_cloud_access_policy_token:value GRAFANA_ACCESS_POLICY_TOKEN=grafana_cloud_access_policy_token:value
@ -38,11 +38,11 @@ jobs:
with: with:
plugin_version_number: ${{ github.ref_name }} plugin_version_number: ${{ github.ref_name }}
- name: Authenticate with GCS - name: Authenticate with GCS
uses: google-github-actions/auth@v2 uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f #v2.1.7
with: with:
credentials_json: ${{ env.GCS_PLUGIN_PUBLISHER_SERVICE_ACCOUNT_JSON }} credentials_json: ${{ env.GCS_PLUGIN_PUBLISHER_SERVICE_ACCOUNT_JSON }}
- name: Publish plugin artifact to GCS - name: Publish plugin artifact to GCS
uses: google-github-actions/upload-cloud-storage@v2 uses: google-github-actions/upload-cloud-storage@386ab77f37fdf51c0e38b3d229fad286861cc0d0 #v2.2.1
with: with:
path: grafana-plugin/${{ steps.build-sign-and-package-plugin.outputs.artifact_filename }} path: grafana-plugin/${{ steps.build-sign-and-package-plugin.outputs.artifact_filename }}
destination: grafana-oncall-app/releases destination: grafana-oncall-app/releases
@ -88,7 +88,7 @@ jobs:
echo version="${GITHUB_REF_NAME:1}" >> $GITHUB_OUTPUT echo version="${GITHUB_REF_NAME:1}" >> $GITHUB_OUTPUT
- name: Update oncall Helm chart Chart.yaml - name: Update oncall Helm chart Chart.yaml
id: update-helm-chart-pr id: update-helm-chart-pr
uses: fjogeleit/yaml-update-action@v0.12.3 uses: fjogeleit/yaml-update-action@d98ee6a10a971effea75480e3f315e4dacc89a23 #v0.12.3
with: with:
valueFile: helm/oncall/Chart.yaml valueFile: helm/oncall/Chart.yaml
branch: helm-release/${{ steps.prepare-version-tags.outputs.version }} branch: helm-release/${{ steps.prepare-version-tags.outputs.version }}
@ -120,7 +120,7 @@ jobs:
contents: read contents: read
steps: steps:
- name: Get Vault secrets - name: Get Vault secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main uses: grafana/shared-workflows/actions/get-vault-secrets@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0
with: with:
repo_secrets: | repo_secrets: |
GH_APP_ID=github-app:app-id GH_APP_ID=github-app:app-id
@ -134,7 +134,7 @@ jobs:
private-key: ${{ env.GH_APP_PRIVATE_KEY }} private-key: ${{ env.GH_APP_PRIVATE_KEY }}
- name: Merge pull Request - name: Merge pull Request
uses: juliangruber/merge-pull-request-action@v1 uses: juliangruber/merge-pull-request-action@d4773803fdc1d1fd46801ab0c56c135df9075de8 #v1.1.1
with: with:
github-token: ${{ steps.generate-token.outputs.token }} github-token: ${{ steps.generate-token.outputs.token }}
number: ${{ needs.create-helm-release-pr.outputs.helm_release_pr_number }} number: ${{ needs.create-helm-release-pr.outputs.helm_release_pr_number }}

2
.github/workflows/publish-technical-documentation-next.yml vendored
View file

@ -16,6 +16,6 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1 - uses: grafana/writers-toolkit/publish-technical-documentation@39cdc38767184996e25d611923f8ce697e33bc70 #publish-technical-documentation/v1.2.0
with: with:
website_directory: content/docs/oncall/next website_directory: content/docs/oncall/next

2
.github/workflows/publish-technical-documentation-release.yml vendored
View file

@ -20,7 +20,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
- uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v2 - uses: grafana/writers-toolkit/publish-technical-documentation-release@8cc658b604c6e05c275af30163a1c7728dfe19b2 #publish-technical-documentation-release/v2.2.4
with: with:
release_tag_regexp: "^v(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$" release_tag_regexp: "^v(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$"
release_branch_regexp: "^release-(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$" release_branch_regexp: "^release-(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$"

4
.github/workflows/snyk-security-scan.yml vendored
View file

@ -24,12 +24,12 @@ jobs:
- name: Install frontend dependencies - name: Install frontend dependencies
uses: ./.github/actions/install-frontend-dependencies uses: ./.github/actions/install-frontend-dependencies
- name: Get Vault secrets - name: Get Vault secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main uses: grafana/shared-workflows/actions/get-vault-secrets@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0
with: with:
common_secrets: | common_secrets: |
SNYK_TOKEN=snyk_scan_github_action:token SNYK_TOKEN=snyk_scan_github_action:token
- name: Install Snyk - name: Install Snyk
uses: snyk/actions/setup@master uses: snyk/actions/setup@b98d498629f1c368650224d6d212bf7dfa89e4bf #v0.4.0
# NOTE: on the snyk monitor and snyk test commands, we are excluding the dev and tools directories # NOTE: on the snyk monitor and snyk test commands, we are excluding the dev and tools directories
# because we can't install the requirements.txt files of these directories alongside the main engine # because we can't install the requirements.txt files of these directories alongside the main engine
# requirements.txt (some conflicting dep versions). If we realllly wanted to test these, we should do it # requirements.txt (some conflicting dep versions). If we realllly wanted to test these, we should do it

2
.github/workflows/update-make-docs.yml vendored
View file

@ -10,6 +10,6 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: grafana/writers-toolkit/update-make-docs@update-make-docs/v1 - uses: grafana/writers-toolkit/update-make-docs@f65819d6a412b752c0e0263375215f049507b0e6 #update-make-docs/v1.3.0
with: with:
pr_options: --label "release:ignore" pr_options: --label "release:ignore"