Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: explicit workflow permissions blocks, update action versions to node 20 versions, cluster cleanup fix #131

Merged
merged 3 commits into from
Jan 30, 2024
Merged

ci: explicit workflow permissions blocks, update action versions to node 20 versions, cluster cleanup fix #131

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0fd7453
Workflow patches
c-ryan-k Jan 25, 2024
6e821ed
minor tweaks
Jan 29, 2024
85e8ca9
security action and SBOM tool updates
Jan 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions .github/workflows/azdev_linter.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,22 +9,24 @@ on:

jobs:
linter:
permissions:
contents: read
continue-on-error: ${{ inputs.continue-on-error }}
name: Evaluate command table
runs-on: ubuntu-latest
steps:
# checkout source (for linter_exclusions)
- uses: actions/checkout@v3
- uses: actions/checkout@v4

# download built wheel (from ./release_build.yml)
- name: Download Wheel
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: azure-iot-ops-cli-ext
path: ./extension

# Install python
- uses: actions/setup-python@v3
- uses: actions/setup-python@v5
name: Setup python
with:
python-version: "3.9"
Expand Down
8 changes: 5 additions & 3 deletions .github/workflows/ci_build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,19 +3,21 @@ on:
workflow_call:
jobs:
build:
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Setup python
uses: actions/setup-python@v3
uses: actions/setup-python@v5
with:
python-version: "3.9"
- name: Build Wheel
run: |
pip install wheel
python -m setup bdist_wheel -d dist
- name: Upload Wheel Artifact
uses: actions/upload-artifact@v3.1.0
uses: actions/upload-artifact@v4
with:
path: dist/*.whl
name: azure-iot-ops-cli-ext
2 changes: 2 additions & 0 deletions .github/workflows/ci_workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
name: CI Build and Test
permissions:
contents: read
on:
pull_request:
branches:
Expand Down
9 changes: 5 additions & 4 deletions .github/workflows/cluster_cleanup.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ env:
KEYVAULT_PREFIX: ${{ inputs.keyvault_prefix || 'opstestkv' }}

permissions:
# required for OpenID federation
contents: 'read'
id-token: 'write'

Expand All @@ -57,7 +58,7 @@ jobs:
run: |
cluster_type="Microsoft.Kubernetes/connectedClusters"
for cluster in $(az resource list -g ${{ env.RESOURCE_GROUP }} --resource-type $cluster_type --query "[?starts_with(name, '${{ env.CLUSTER_PREFIX }}')].id" -o tsv); do
az resource delete --id $cluster --verbose
az resource delete -v --id $cluster --verbose
done
keyvault-cleanup:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -86,7 +87,7 @@ jobs:
- name: Delete linked AIO resources
run: |
for resource in $(az resource list -g ${{ env.RESOURCE_GROUP }} --query "[?starts_with(name, '${{ env.CLUSTER_PREFIX }}')].id" -o tsv); do
az resource delete --id $resource --verbose
az resource delete -v --id $resource --verbose
done
mq-cleanup:
runs-on: ubuntu-latest
Expand All @@ -103,7 +104,7 @@ jobs:
in_cluster_ext_loc="contains(to_string(extendedLocation.name), '${{ env.CLUSTER_PREFIX }}')"

for mq_resource in $(az resource list -g ${{ env.RESOURCE_GROUP }} --query "[?$in_cluster_ext_loc && $is_mq_child_resource].id" -o tsv); do
az resource delete --id $mq_resource --verbose
az resource delete -v --id $mq_resource --verbose
done
- name: Delete MQ instances
run: |
Expand All @@ -114,5 +115,5 @@ jobs:
sleep 15s

for mq in $(az resource list -g ${{ env.RESOURCE_GROUP }} --resource-type $mq_type --query "[?$in_cluster_ext_loc].id" -o tsv); do
az resource delete --id $mq --verbose
az resource delete -v --id $mq --verbose
done
4 changes: 1 addition & 3 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,15 +11,13 @@ jobs:
runs-on: ubuntu-latest

permissions:
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: read

steps:
- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@v4

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
Expand Down
12 changes: 7 additions & 5 deletions .github/workflows/int_test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,11 +44,13 @@ env:
EXTENSION_SOURCE_DIRECTORY: "./azure-iot-ops-cli-extension"
K3S_VERSION: "v1.28.5+k3s1"

permissions:
# required for OpenID federation
contents: 'read'
id-token: 'write'

jobs:
integration_test:
permissions:
contents: 'read'
id-token: 'write'
name: Integration test
runs-on: ubuntu-22.04
outputs:
Expand All @@ -57,11 +59,11 @@ jobs:
keyvault_name: ${{ env.KV_NAME }}
steps:
- name: "Setup python"
uses: actions/setup-python@v3
uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: "Checkout extension source"
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
# ensure source checkout uses our repo instead of calling workflow
repository: azure/azure-iot-ops-cli-extension
Expand Down
12 changes: 7 additions & 5 deletions .github/workflows/release_build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,15 @@ on:
jobs:
build:
runs-on: [self-hosted, 1ES.Pool=iotupx-github-hosted-pool, 1ES.ImageOverride=MMSUbuntu20.04]
permissions:
contents: read
steps:
- name: Setup python
uses: actions/setup-python@v3
uses: actions/setup-python@v5
with:
python-version: "3.9"

- uses: actions/checkout@v3
- uses: actions/checkout@v4

- name: Build Wheel
run: |
Expand All @@ -26,17 +28,17 @@ jobs:
echo "version=$version" >> $GITHUB_ENV
- name: Generate SBOM
run: |
curl -Lo $RUNNER_TEMP/sbom-tool https://github.com/microsoft/sbom-tool/releases/download/v1.5.2/sbom-tool-linux-x64
curl -Lo $RUNNER_TEMP/sbom-tool https://github.com/microsoft/sbom-tool/releases/download/v2.2.3/sbom-tool-linux-x64
chmod +x $RUNNER_TEMP/sbom-tool
$RUNNER_TEMP/sbom-tool generate -b ./dist -bc . -pn "Azure IoT Operations CLI Extension" -pv "${{ env.version }}" -ps Microsoft

- name: Upload Wheel Artifact
uses: actions/upload-artifact@v3.1.0
uses: actions/upload-artifact@v4
with:
path: ${{ env.wheel }}
name: azure-iot-ops-cli-ext
- name: Upload SBOM Artifact
uses: actions/upload-artifact@v3.1.0
uses: actions/upload-artifact@v4
with:
path: dist/_manifest/
name: SBOM
7 changes: 7 additions & 0 deletions .github/workflows/release_workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@ on:
default: false
jobs:
security:
permissions:
# needed to write security info to repository
security-events: write
digimaun marked this conversation as resolved.
Show resolved Hide resolved
contents: read
uses: ./.github/workflows/security_checks.yml
with:
continue-on-error: ${{ github.event.inputs.continue-on-error == 'true' }}
Expand Down Expand Up @@ -53,6 +57,9 @@ jobs:
fi
# github_release == 'true'
draft_github_release:
permissions:
# needed to create draft release
contents: write
needs: [approval]
if: github.event.inputs.github_release == 'true'
uses: ./.github/workflows/stage_release.yml
Expand Down
14 changes: 6 additions & 8 deletions .github/workflows/security_checks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,24 +13,22 @@ jobs:
name: SDL Compliance Checks
runs-on: windows-latest
permissions:
# required for all workflows
# needed to write security info to repository
security-events: write
# only required for workflows in private repositories
actions: read
contents: read
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4

# Install dotnet, used by MSDO
- uses: actions/setup-dotnet@v3
- uses: actions/setup-dotnet@v4
with:
dotnet-version: |
5.0.x
6.0.x

# Run analyzers
- name: Run Microsoft Security DevOps Analysis
uses: microsoft/security-devops-action@preview
uses: microsoft/security-devops-action@v1
id: msdo
env:
# file path to analyze
Expand All @@ -39,13 +37,13 @@ jobs:

# Upload alerts to the Security tab
- name: Upload alerts to Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.msdo.outputs.sarifFile }}

# Upload alerts file as a workflow artifact
- name: Upload alerts artifact
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: alerts
path: ${{ steps.msdo.outputs.sarifFile }}
9 changes: 6 additions & 3 deletions .github/workflows/stage_release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,17 @@ on:
jobs:
create_draft_release:
runs-on: [self-hosted, 1ES.Pool=iotupx-github-hosted-pool, 1ES.ImageOverride=MMSUbuntu20.04]
permissions:
# needed to create a draft release
contents: write
steps:
- name: Download Wheel
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: azure-iot-ops-cli-ext
path: ./release
- name: Setup python
uses: actions/setup-python@v3
uses: actions/setup-python@v5
with:
python-version: "3.9"
- name: Install and determine version
Expand All @@ -25,7 +28,7 @@ jobs:
echo "version=$version" >> $GITHUB_ENV
echo "tag=v$version" >> $GITHUB_ENV
- name: Download SBOM
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: SBOM
path: ./release/SBOM
Expand Down
11 changes: 7 additions & 4 deletions .github/workflows/tox.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ on:
required: false
default: false

permissions:
contents: read

jobs:
tox:
name: Unit test ${{ matrix.py }} - ${{ matrix.os }}
Expand All @@ -32,10 +35,10 @@ jobs:
- "3.8"
steps:
- name: Setup python ${{ matrix.py }}
uses: actions/setup-python@v3
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.py }}
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Install tox-gh
run: python -m pip install tox-gh
- name: Setup test suite
Expand All @@ -47,15 +50,15 @@ jobs:
continue-on-error: true
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Run code coverage
run: |
python -m pip install tox
tox -e coverage
coverage=$(jq .totals.percent_covered coverage.json | cut -c1-4)
echo "Code coverage: $coverage%" >> $GITHUB_STEP_SUMMARY
- name: Upload code coverage
uses: actions/upload-artifact@v3.1.0
uses: actions/upload-artifact@v4
with:
path: ./htmlcov
name: code_coverage
2 changes: 1 addition & 1 deletion .github/workflows/update_private_index.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
steps:
- name: Download wheel
id: wheel
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: azure-iot-ops-cli-ext
path: ./
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/upload_wheel.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ env:
jobs:
# Upload wheel to storage account
upload_wheel:
permissions:
# ensures this release job has no access to source
contents: none
outputs:
upload_success: ${{ steps.upload.outputs.upload_success }}
runs-on:
Expand All @@ -23,7 +26,7 @@ jobs:
steps:
- name: Download wheel
id: wheel
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: azure-iot-ops-cli-ext
path: ./
Expand Down