Conversation
Signed-off-by: samuel.park <samuel.park@megazone.com>
piggggggggy
added
the
self_approved/review
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check branch with regex | ||
| run: | | ||
| if [[ ! "${{ github.ref }}" =~ ^refs/heads/(${{env.BRANCH_PREFIX}}.*)$ ]]; then | ||
| echo `::error::Branch should always be run from '${{env.BRANCH_PREFIX}}', Running branch: ${github.ref_name}`. | ||
| exit 1 | ||
| fi | ||
| - name: Notice when job fails | ||
| if: failure() | ||
| uses: 8398a7/action-slack@v3.15.0 | ||
| with: | ||
| status: ${{job.status}} | ||
| fields: repo,workflow,job | ||
| author_name: Github Action Slack | ||
|
|
||
| mirinae: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the issue, we need to add a permissions block to the workflow. This block should specify the least privileges required for the workflow to function correctly. Based on the workflow's operations:
contents: writeis required for Git tagging and pushing tags.actions: readis required for interacting with other workflows.issues: writeorpull-requests: writemight be required if the workflow interacts with issues or pull requests (though not evident in the provided code).- Other permissions (e.g.,
statuses,deployments) are not explicitly required based on the provided code.
The permissions block can be added at the root level to apply to all jobs or at the job level for more granular control.
| @@ -17,2 +17,5 @@ | ||
|
|
||
| permissions: | ||
| contents: write | ||
| actions: read | ||
|
|
| runs-on: ubuntu-latest | ||
| needs: check-branch | ||
| steps: | ||
| - name: Invoke mirinae release workflow | ||
| id: mirinae | ||
| uses: convictional/trigger-workflow-and-wait@v1.6.1 | ||
| with: | ||
| owner: ${{ github.repository_owner }} | ||
| repo: ${{ github.event.repository.name }} | ||
| github_token: ${{ secrets.PAT_TOKEN }} | ||
| workflow_file_name: dispatch_mirinae_release.yaml | ||
| wait_workflow: true | ||
| propagate_failure: true | ||
| wait_interval: 5 | ||
| ref: ${{ github.ref_name }} | ||
|
|
||
| storybook: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the issue, we will add a permissions block at the root level of the workflow to define the minimal permissions required for the workflow. Based on the provided workflow, the following permissions are necessary:
contents: read- To allow the workflow to read repository contents.contents: write- Required for theGit taggingstep to push tags to the repository.actions: read- To allow the workflow to interact with GitHub Actions artifacts.statuses: write- To update commit statuses.
This ensures that the workflow has only the permissions it needs to function correctly.
| @@ -2,2 +2,7 @@ | ||
|
|
||
| permissions: | ||
| contents: write | ||
| actions: read | ||
| statuses: write | ||
|
|
||
| on: |
| runs-on: ubuntu-latest | ||
| needs: mirinae | ||
| steps: | ||
| - name: Invoke storybook release workflow | ||
| uses: convictional/trigger-workflow-and-wait@v1.6.1 | ||
| with: | ||
| owner: ${{ github.repository_owner }} | ||
| repo: ${{ github.event.repository.name }} | ||
| github_token: ${{ secrets.PAT_TOKEN }} | ||
| workflow_file_name: dispatch_storybook_release.yaml | ||
| wait_workflow: false | ||
| propagate_failure: false | ||
| ref: ${{ github.ref_name }} | ||
|
|
||
| versioning_and_docker: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the issue, we will add a permissions block at the root level of the workflow file. This block will define the minimal permissions required for the workflow to function correctly. Based on the workflow's steps, the following permissions are needed:
contents: readfor accessing repository contents.actions: readfor interacting with GitHub Actions workflows.statuses: writefor updating commit statuses.
The permissions block will be added at the top of the workflow, just below the name field.
| @@ -1,2 +1,6 @@ | ||
| name: "[Dispatch] Release Hotfix" | ||
| permissions: | ||
| contents: read | ||
| actions: read | ||
| statuses: write | ||
|
|
| runs-on: ubuntu-latest | ||
| needs: mirinae | ||
| outputs: | ||
| new_commit_sha: ${{ steps.get_sha.outputs.NEW_COMMIT_SHA }} | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| submodules: true | ||
| ref: ${{ github.ref_name }} | ||
| token: ${{ secrets.PAT_TOKEN }} | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v3 | ||
| with: | ||
| node-version: 16 | ||
|
|
||
| - name: Restore cached node_modules | ||
| id: restore-node-cache | ||
| uses: actions/cache@v3 | ||
| with: | ||
| path: '**/node_modules' | ||
| key: ${{ runner.OS }}-node-modules-${{ hashFiles('**/package-lock.json') }} | ||
| restore-keys: | | ||
| ${{ runner.OS }}-node-modules- | ||
|
|
||
| - name: Install dependencies | ||
| if: steps.restore-node-cache.outputs.cache-hit != 'true' | ||
| run: npm ci | ||
|
|
||
| - name: Change version | ||
| run: | | ||
| converted_version=$(echo ${{ env.VERSION }} | sed -E 's/^([0-9]+\.[0-9]+\.[0-9]+-fix\.[0-9]+)/\1/') | ||
| npm version $converted_version --no-git-tag-version --allow-same-version --no-commit-hooks --include-workspace-root -w=web | ||
| echo "converted_version=$converted_version" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Import GPG key | ||
| id: import-gpg | ||
| uses: crazy-max/ghaction-import-gpg@v6.2.0 | ||
| with: | ||
| gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | ||
| passphrase: ${{ secrets.GPG_PASSPHRASE }} | ||
| git_user_signingkey: true | ||
| git_commit_gpgsign: true | ||
|
|
||
| - name: Configure git | ||
| run: | | ||
| git config --global user.signingkey "${{ secrets.CLOUDFORET_ADMIN_GPG_KEY_ID }}" | ||
| git config --global user.email "${{ vars.GIT_EMAIL }}" | ||
| git config --global user.name "${{ vars.GIT_USERNAME }}" | ||
|
|
||
| - name: Check if there are any changes | ||
| id: check_changes | ||
| run: | | ||
| git diff --exit-code --quiet || echo "::set-output name=changed::true" | ||
| continue-on-error: true | ||
|
|
||
| - name: Commit changes and Set current commit SHA to output | ||
| if: steps.check_changes.outputs.changed == 'true' | ||
| id: get_sha | ||
| run: | | ||
| git commit -s -am "chore: version ${{ env.VERSION }}" | ||
| echo "NEW_COMMIT_SHA=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT" | ||
| env: | ||
| GIT_AUTHOR_NAME: ${{ steps.import-gpg.outputs.name }} | ||
| GIT_AUTHOR_EMAIL: ${{ steps.import-gpg.outputs.email }} | ||
| GIT_COMMITTER_NAME: ${{ steps.import-gpg.outputs.name }} | ||
| GIT_COMMITTER_EMAIL: ${{ steps.import-gpg.outputs.email }} | ||
|
|
||
| - name: Push changes | ||
| if: steps.check_changes.outputs.changed == 'true' | ||
| uses: ad-m/github-push-action@master | ||
| with: | ||
| github_token: ${{ secrets.PAT_TOKEN }} | ||
| branch: ${{ github.ref }} | ||
|
|
||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v2 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v2 | ||
|
|
||
| - name: Login to Docker Hub | ||
| uses: docker/login-action@v2 | ||
| with: | ||
| username: ${{ secrets.CLOUDFORET_DEV_DOCKER_USERNAME }} | ||
| password: ${{ secrets.CLOUDFORET_DEV_DOCKER_PASSWORD }} | ||
|
|
||
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@v2 | ||
| with: | ||
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| aws-region: us-east-1 | ||
|
|
||
| - name: Login to Amazon ECR | ||
| run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin ${{ secrets.ECR_REPO }} | ||
|
|
||
| - name: Build and push to dockerhub | ||
| uses: docker/build-push-action@v4 | ||
| env: | ||
| BUILDKIT_COLORS: 1 | ||
| with: | ||
| context: . | ||
| file: ./apps/web/Dockerfile | ||
| platforms: ${{ env.ARCH }} | ||
| push: true | ||
| cache-from: ${{ vars.DOCKER_REPO_OWNER }}/${{ github.event.repository.name }}:latest | ||
| cache-to: type=inline | ||
| tags: | | ||
| ${{ vars.DOCKER_REPO_OWNER }}/${{ github.event.repository.name }}:latest | ||
| ${{ vars.DOCKER_REPO_OWNER }}/${{ github.event.repository.name }}:${{ env.VERSION }} | ||
| ${{ secrets.ECR_REPO }}/${{ github.event.repository.name }}:latest | ||
| ${{ secrets.ECR_REPO }}/${{ github.event.repository.name }}:${{ env.VERSION }} | ||
| provenance: false | ||
|
|
||
| - name: Notice when job fails | ||
| if: failure() | ||
| uses: 8398a7/action-slack@v3.15.0 | ||
| with: | ||
| status: ${{job.status}} | ||
| fields: repo,workflow,job | ||
| author_name: Github Action Slack | ||
|
|
||
| tagging: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the issue, we need to add a permissions block to the workflow file. This block should specify the minimal permissions required for the workflow to function correctly. Based on the operations performed in the workflow, the following permissions are recommended:
contents: writefor pushing changes and tagging commits.packages: writefor interacting with Docker Hub.id-token: writefor AWS authentication if OpenID Connect is used.statuses: writefor updating commit statuses.
The permissions block can be added at the root level of the workflow to apply to all jobs or at the job level for more granular control.
| @@ -2,2 +2,8 @@ | ||
|
|
||
| permissions: | ||
| contents: write | ||
| packages: write | ||
| id-token: write | ||
| statuses: write | ||
|
|
||
| on: |
| needs: versioning_and_docker | ||
| runs-on: ubuntu-latest | ||
| env: | ||
| NEW_COMMIT_SHA: ${{ needs.versioning_and_docker.outputs.new_commit_sha }} | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| ref: ${{ env.NEW_COMMIT_SHA }} | ||
|
|
||
| - name: Configure git | ||
| run: | | ||
| git config --global user.email "${{ vars.GIT_EMAIL }}" | ||
| git config --global user.name "${{ vars.GIT_USERNAME }}" | ||
|
|
||
| - name: Git tagging | ||
| run: | | ||
| git tag ${{ env.VERSION }} | ||
| git push origin ${{ env.VERSION }} | ||
|
|
||
| - name: Notice when job fails | ||
| if: failure() | ||
| uses: 8398a7/action-slack@v3.15.0 | ||
| with: | ||
| status: ${{job.status}} | ||
| fields: repo,workflow,job | ||
| author_name: Github Action Slack | ||
|
|
||
| notification: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the issue, we will add a permissions block to the root of the workflow to define the minimal permissions required for all jobs. Additionally, we will add job-specific permissions blocks for jobs that require elevated permissions. For example:
- The
versioning_and_dockerjob will needcontents: writefor tagging and pushing changes. - Other jobs, such as
check-branch, may only needcontents: read.
This approach ensures that each job has only the permissions it needs, reducing the risk of accidental or malicious misuse of the GITHUB_TOKEN.
| @@ -2,2 +2,5 @@ | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| @@ -27,2 +30,4 @@ | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| @@ -77,2 +82,4 @@ | ||
| needs: mirinae | ||
| permissions: | ||
| contents: write | ||
| outputs: | ||
| @@ -202,2 +209,4 @@ | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| env: |
| needs: tagging | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Slack | ||
| if: always() | ||
| uses: 8398a7/action-slack@v3.15.0 | ||
| with: | ||
| status: ${{job.status}} | ||
| fields: repo,message,commit,author,action,ref,workflow,job | ||
| author_name: Github Action Slack |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the issue, we will add a permissions block at the root level of the workflow to define the minimal permissions required for all jobs. Each job will inherit these permissions unless overridden. Based on the workflow's functionality, the following permissions are required:
contents: writefor thetaggingjob to push tags to the repository.contents: readfor other jobs that only need to read repository contents.actions: readfor jobs that invoke other workflows (e.g.,mirinaejob).
We will add the permissions block at the root level and override it for specific jobs where necessary.
| @@ -2,2 +2,6 @@ | ||
|
|
||
| permissions: | ||
| contents: read | ||
| actions: read | ||
|
|
||
| on: | ||
| @@ -202,2 +206,4 @@ | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| env: |
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
|
✅ There are no commits in this PR that require review. |
|
✅ Why it is requiredThe Developer Certificate of Origin (DCO) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project. Here is the full text of the DCO. Contributors sign-off that they adhere to these requirements by adding a Git even has a |
Signed-off-by: yuda <yuda@megazone.com>
|
✅ Why it is requiredThe Developer Certificate of Origin (DCO) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project. Here is the full text of the DCO. Contributors sign-off that they adhere to these requirements by adding a Git even has a |
|
✅ There are no commits in this PR that require review. |
3 participants
Skip Review (optional)
style,chore,ci,test,docs)Description (optional)
Things to Talk About (optional)