From 733f8027d2c4e0e597665cc319e7dc1a4fd3483f Mon Sep 17 00:00:00 2001 From: Ran Benita Date: Tue, 18 May 2021 22:21:25 +0300 Subject: [PATCH] Merge pull request #8681 from bluetech/ci-permissions ci: few security/permissions improvements (cherry picked from commit ff6d29717c96c64e108581ddc7ead862f8d2398a) Conflicts: .github/workflows/main.yml .github/workflows/prepare-release-pr.yml .github/workflows/update-plugin-list.yml scripts/prepare-release-pr.py scripts/report-coverage.sh --- .github/workflows/main.yml | 28 +++++++++++++++++++++++- .github/workflows/release-on-comment.yml | 11 +++++++++- scripts/release-on-comment.py | 4 ++-- scripts/report-coverage.sh | 20 +++++++++++++---- 4 files changed, 55 insertions(+), 8 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 27b25fd72..b2c4c69a8 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -14,10 +14,15 @@ on: - master - "[0-9]+.[0-9]+.x" +# Set permissions at the job level. +permissions: {} + jobs: build: runs-on: ${{ matrix.os }} timeout-minutes: 30 + permissions: + contents: read strategy: fail-fast: false @@ -137,10 +142,13 @@ jobs: - uses: actions/checkout@v2 with: fetch-depth: 0 + persist-credentials: false + - name: Set up Python ${{ matrix.python }} uses: actions/setup-python@v2 with: python-version: ${{ matrix.python }} + - name: Install dependencies run: | python -m pip install --upgrade pip @@ -171,19 +179,29 @@ jobs: linting: runs-on: ubuntu-latest + permissions: + contents: read + steps: - uses: actions/checkout@v2 + with: + persist-credentials: false + - uses: actions/setup-python@v2 + - name: set PY run: echo "name=PY::$(python -c 'import hashlib, sys;print(hashlib.sha256(sys.version.encode()+sys.executable.encode()).hexdigest())')" >> $GITHUB_ENV + - uses: actions/cache@v2 with: path: ~/.cache/pre-commit key: pre-commit|${{ env.PY }}|${{ hashFiles('.pre-commit-config.yaml') }} + - name: Install dependencies run: | python -m pip install --upgrade pip pip install tox + - run: tox -e linting deploy: @@ -191,6 +209,8 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 + permissions: + contents: write needs: [build] @@ -198,25 +218,31 @@ jobs: - uses: actions/checkout@v2 with: fetch-depth: 0 + persist-credentials: false + - name: Set up Python uses: actions/setup-python@v2 with: python-version: "3.7" + - name: Install dependencies run: | python -m pip install --upgrade pip pip install --upgrade wheel setuptools tox + - name: Build package run: | python setup.py sdist bdist_wheel + - name: Publish package to PyPI uses: pypa/gh-action-pypi-publish@master with: user: __token__ password: ${{ secrets.pypi_token }} + - name: Publish GitHub release notes env: - GH_RELEASE_NOTES_TOKEN: ${{ secrets.release_notes }} + GH_RELEASE_NOTES_TOKEN: ${{ github.token }} run: | sudo apt-get install pandoc tox -e publish-gh-release-notes diff --git a/.github/workflows/release-on-comment.yml b/.github/workflows/release-on-comment.yml index 94863d896..32d221552 100644 --- a/.github/workflows/release-on-comment.yml +++ b/.github/workflows/release-on-comment.yml @@ -7,9 +7,15 @@ on: issue_comment: types: [created, edited] +# Set permissions at the job level. +permissions: {} + jobs: build: runs-on: ubuntu-latest + permissions: + contents: write + issues: write if: (github.event.comment && startsWith(github.event.comment.body, '@pytestbot please')) || (github.event.issue && !github.event.comment && startsWith(github.event.issue.body, '@pytestbot please')) @@ -17,15 +23,18 @@ jobs: - uses: actions/checkout@v2 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python uses: actions/setup-python@v2 with: python-version: "3.8" + - name: Install dependencies run: | python -m pip install --upgrade pip pip install --upgrade setuptools tox + - name: Prepare release run: | - tox -e release-on-comment -- $GITHUB_EVENT_PATH ${{ secrets.chatops }} + tox -e release-on-comment -- $GITHUB_EVENT_PATH ${{ github.token }} diff --git a/scripts/release-on-comment.py b/scripts/release-on-comment.py index 44431a4fc..f2e8dfe90 100644 --- a/scripts/release-on-comment.py +++ b/scripts/release-on-comment.py @@ -23,8 +23,8 @@ Then the appropriate version will be obtained based on the given branch name: After that, it will create a release using the `release` tox environment, and push a new PR. -**Secret**: currently the secret is defined in the @pytestbot account, which the core maintainers -have access to. There we created a new secret named `chatops` with write access to the repository. +**Token**: currently the token from the GitHub Actions is used, pushed with +`pytest bot ` commit author. """ import argparse import json diff --git a/scripts/report-coverage.sh b/scripts/report-coverage.sh index fbcf20ca9..fa313f2fb 100755 --- a/scripts/report-coverage.sh +++ b/scripts/report-coverage.sh @@ -1,18 +1,30 @@ #!/usr/bin/env bash -set -e +set -euo pipefail set -x -if [ -z "$TOXENV" ]; then +# Install coverage. +if [[ -z ${TOXENV+x} || -z $TOXENV ]]; then python -m pip install coverage else # Add last TOXENV to $PATH. PATH="$PWD/.tox/${TOXENV##*,}/bin:$PATH" fi +# Run coverage. python -m coverage combine python -m coverage xml python -m coverage report -m + +# Download and verify latest Codecov bash uploader. # Set --connect-timeout to work around https://github.com/curl/curl/issues/4461 -curl -S -L --connect-timeout 5 --retry 6 -s https://codecov.io/bash -o codecov-upload.sh -bash codecov-upload.sh -Z -X fix -f coverage.xml "$@" +curl --silent --show-error --location --connect-timeout 5 --retry 6 -o codecov https://codecov.io/bash +VERSION=$(grep --only-matching 'VERSION=\"[0-9\.]*\"' codecov | cut -d'"' -f2) +if command -v sha256sum; then + sha256sum --check --strict --ignore-missing --quiet <(curl --silent "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA256SUM") +else + shasum --algorithm 256 --check --strict --ignore-missing --quiet <(curl --silent "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA256SUM") +fi + +# Upload coverage. +bash codecov -Z -X fix -f coverage.xml "$@"