Check if secrets are set #2844
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,168 +5,198 @@ | |
| pull_request: | ||
|
|
||
| jobs: | ||
| check-secrets: | ||
| name: Check project secrets | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| have-secrets: ${{ steps.check.outputs.have-secrets }} | ||
| steps: | ||
| - id: check | ||
| run: | | ||
| missing=() | ||
|
|
||
| if [ -z "${{ secrets.CHECKOUT_TOKEN }}" ]; then | ||
| missing+=("CHECKOUT_TOKEN") | ||
| fi | ||
|
|
||
| if [ -z "${{ secrets.OSC_PASSWORD }}" ]; then | ||
| missing+=("OSC_PASSWORD") | ||
| fi | ||
|
|
||
| if [ ${#missing[@]} -eq 0 ]; then | ||
| echo "✅ All required secrets are set." | ||
| echo "have-secrets=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "❌ Missing required secrets: ${missing[*]}" | ||
| echo "⚠️ PRs must be sent from branches, not forks!" | ||
| echo "have-secrets=false" >> $GITHUB_OUTPUT | ||
| exit 1 | ||
| fi | ||
|
|
||
| obs-build: | ||
Check warningCode scanning / CodeQL Workflow does not contain permissions Medium |
||
| needs: check-secrets | ||
| if: needs.check-secrets.outputs.have-secrets == 'true' | ||
|
Member
There was a problem hiding this comment. I think the needs alone causes it to be skipped so the if should be unnecessary? haven't tested it though.
Member
Author
There was a problem hiding this comment. yes, the if might be removed if we dont write the file on failures perhaps, because we current write a value and read the value. |
||
| name: build all images on OBS | ||
| runs-on: ubuntu-latest | ||
| container: registry.opensuse.org/opensuse/bci/bci-ci:latest | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| os_version: | ||
| - 7 | ||
| - 6 | ||
| - "16.0" | ||
| - Tumbleweed | ||
|
|
||
| steps: | ||
| # we need all branches for the build checks | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| token: ${{ secrets.CHECKOUT_TOKEN }} | ||
|
|
||
| - uses: actions/cache@v4 | ||
| with: | ||
| path: ~/.cache/pypoetry/virtualenvs | ||
| key: poetry-${{ hashFiles('poetry.lock') }} | ||
|
|
||
| - name: fix the file permissions of the repository | ||
| run: chown -R $(id -un):$(id -gn) . | ||
|
|
||
| - name: install python dependencies | ||
| run: poetry install | ||
|
|
||
| - name: find the previous comment created by the bot | ||
| uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3 | ||
| id: find_comment | ||
| with: | ||
| issue-number: ${{ github.event.number }} | ||
| body-includes: "Created a staging project on OBS for ${{ matrix.os_version }}" | ||
| direction: last | ||
|
|
||
| - name: cleanup the previously created staging project & branch | ||
| run: echo "${{ steps.find_comment.outputs.comment-body }}" | poetry run scratch-build-bot -vvvv --from-stdin cleanup | ||
| shell: fish {0} | ||
| env: | ||
| OSC_PASSWORD: ${{ secrets.OSC_PASSWORD }} | ||
| OSC_USER: "pushman" | ||
| if: steps.find_comment.outputs.comment-id != '' | ||
|
|
||
| - name: update the comment with the previous build explaining that it has been deleted | ||
| uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 | ||
| with: | ||
| issue-number: ${{ github.event.pull_request.number }} | ||
| comment-id: ${{ steps.find_comment.outputs.comment-id }} | ||
| body: "⚠️⚠️ Project and Branch have been deleted ⚠️⚠️" | ||
| edit-mode: append | ||
| if: steps.find_comment.outputs.comment-id != '' | ||
|
|
||
| - name: configure git user | ||
| run: | | ||
| set -xuo pipefail | ||
| username="${{ github.event.pull_request.user.login }}" | ||
| set +e | ||
| full_name=$(curl https://api.github.com/users/$username 2>/dev/null|jq '.name'|sed 's|"||g') | ||
| if [[ $? -ne 0 ]]; then | ||
| git config user.name "SUSE Update Bot" | ||
| git config user.email "[email protected]" | ||
| else | ||
| git config user.name "$full_name" | ||
| git config user.email "[email protected]" | ||
| fi | ||
|
|
||
| - name: commit the changes to a test branch and create a staging project on OBS | ||
| run: | | ||
| set -euo pipefail | ||
| poetry run scratch-build-bot \ | ||
| --os-version ${{ matrix.os_version }} \ | ||
| --branch-name="${{ matrix.os_version }}-${{ github.event.pull_request.number }}" \ | ||
| -vvvv \ | ||
| scratch_build \ | ||
| --commit-message='Test build for #${{ github.event.pull_request.number }}' \ | ||
| | tee info | ||
| if grep -q "No changes" info; then | ||
| echo "no_change=true" >> $GITHUB_ENV | ||
| else | ||
| echo "DEPLOYMENT_COMMIT_HASH=$(cat info)" >> $GITHUB_ENV | ||
| fi | ||
| cat test-build.env >> $GITHUB_ENV | ||
| env: | ||
| OSC_PASSWORD: ${{ secrets.OSC_PASSWORD }} | ||
| OSC_USER: "pushman" | ||
|
|
||
| - name: create a comment with a link to the staging project | ||
| if: env.no_change != 'true' | ||
| uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 | ||
| id: create_comment | ||
| with: | ||
| comment-id: ${{ steps.find_comment.outputs.comment-id || '' }} | ||
| edit-mode: replace | ||
| issue-number: ${{ github.event.pull_request.number }} | ||
| # !!! if you change the body, then you must adjust StagingBot.from_github_comment() !!! | ||
| body: | | ||
| Created a staging project on OBS for ${{ matrix.os_version }}: [${{ env.PROJECT_NAME }}](${{ env.PROJECT_URL }}) | ||
| Changes pushed to branch [`${{ env.BRANCH_NAME }}`](https://github.com/SUSE/BCI-dockerfile-generator/tree/${{ env.BRANCH_NAME }}) as commit [`${{ env.DEPLOYMENT_COMMIT_HASH }}`](https://github.com/SUSE/BCI-dockerfile-generator/commit/${{ env.DEPLOYMENT_COMMIT_HASH }}) | ||
|
|
||
| - name: wait for the build to finish | ||
| run: poetry run scratch-build-bot -vvvv wait | ||
| env: | ||
| OSC_PASSWORD: ${{ secrets.OSC_PASSWORD }} | ||
| OSC_USER: "pushman" | ||
| if: env.no_change != 'true' | ||
|
|
||
| - name: Install crane to list images on the registry | ||
| uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 | ||
| if: env.no_change != 'true' | ||
|
|
||
| - name: retrieve the build result | ||
| run: | | ||
| set -euo pipefail | ||
| export PROJECT_NAME=${{ env.PROJECT_NAME }} | ||
| export REGISTRY_PREFIX=$(echo ${PROJECT_NAME,,} | sed 's|:|/|g') | ||
| export TEST_OS_VER=${{ env.OS_VERSION_PRETTY }} | ||
| export TEST_OS_VER=$(echo ${TEST_OS_VER/SP/15.}) | ||
|
|
||
| echo "build_res<<EOF" >> $GITHUB_ENV | ||
| poetry run scratch-build-bot query_build_result >> $GITHUB_ENV | ||
|
|
||
| echo >> $GITHUB_ENV | ||
| echo >> $GITHUB_ENV | ||
| echo "To run [BCI-tests](https://github.com/SUSE/BCI-tests) against this PR, use the following command:" >> $GITHUB_ENV | ||
| echo "\`\`\`bash" >> $GITHUB_ENV | ||
| echo "OS_VERSION=${TEST_OS_VER,,} TARGET=custom BASEURL=registry.opensuse.org/${REGISTRY_PREFIX}/ tox -- -n auto" >> $GITHUB_ENV | ||
| echo "\`\`\`" >> $GITHUB_ENV | ||
|
|
||
| echo >> $GITHUB_ENV | ||
| echo >> $GITHUB_ENV | ||
| poetry run scratch-build-bot get_container_urls >> $GITHUB_ENV | ||
| echo "EOF" >> $GITHUB_ENV | ||
| id: query_build_result | ||
| env: | ||
| OSC_PASSWORD: ${{ secrets.OSC_PASSWORD }} | ||
| OSC_USER: "pushman" | ||
| if: env.no_change != 'true' | ||
|
|
||
| - name: report the finished build | ||
| if: env.no_change != 'true' | ||
| uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 | ||
| with: | ||
| issue-number: ${{ github.event.pull_request.number }} | ||
| comment-id: ${{ steps.create_comment.outputs.comment-id }} | ||
| body: ${{ env.build_res }} | ||
| edit-mode: append | ||
| reactions: rocket | ||
|
|
||
| - name: fail the job if the builds failed | ||
| run: poetry run scratch-build-bot get_build_quality | ||
| env: | ||
| OSC_PASSWORD: ${{ secrets.OSC_PASSWORD }} | ||
| OSC_USER: "pushman" | ||
| if: env.no_change != 'true' | ||
|
|
||
| - name: cleanup the branches if no functional changes were commited or the build was cancelled | ||
| run: poetry run scratch-build-bot -vvvv -l cleanup | ||
| env: | ||
| OSC_PASSWORD: ${{ secrets.OSC_PASSWORD }} | ||
| OSC_USER: "pushman" | ||
| if: ${{ env.no_change == 'true' || cancelled() }} | ||
Check warningCode scanning / CodeQL Workflow does not contain permissions Medium |
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is slightly contradicting. either we tell people to set the secrets (which they could on forks) or we forbid running from forks. that would be simpler to achieve:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could run on a fork if you have the proper secrets. It is possible to share secrets with forks, but this is security issue, so a no-go IMHO.
Not everyone can create a branch to send a PR, so yes, the message does not help much.
We could skip the run instead of failing with an error, not sure what is the best user experience here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think anyone has the right secrets (or we shouldn't advertise people putting their OSC access tokens into github, far too dangerous).
I suggest to only go with the "check if it is a fork, then don't run the jobs" approach instead. this doesn't advertise contributors to do an unsafe operation.