From 5d702f7ef7c2543dea3f064da71e1df579421a4a Mon Sep 17 00:00:00 2001 From: Stephen Morgan Date: Fri, 4 Apr 2025 16:57:30 +1300 Subject: [PATCH] ci: explicit permission and quote user definable input in actions --- .github/workflows/ami-release-nix.yml | 12 +++++------ .github/workflows/check-shellscripts.yml | 3 +++ .github/workflows/ci.yml | 3 +++ .../workflows/dockerhub-release-matrix.yml | 10 +++++++++- .github/workflows/manual-docker-release.yml | 8 ++++++++ .github/workflows/mirror-postgrest.yml | 3 +++ .github/workflows/mirror.yml | 3 +++ ...ublish-nix-pgupgrade-bin-flake-version.yml | 20 +++++++++---------- .../publish-nix-pgupgrade-scripts.yml | 12 +++++------ .github/workflows/qemu-image-build.yml | 10 +++++++--- .github/workflows/test.yml | 7 ++++++- .github/workflows/testinfra-nix.yml | 6 +++++- 12 files changed, 69 insertions(+), 28 deletions(-) diff --git a/.github/workflows/ami-release-nix.yml b/.github/workflows/ami-release-nix.yml index 1d57ea23b..31089218d 100644 --- a/.github/workflows/ami-release-nix.yml +++ b/.github/workflows/ami-release-nix.yml @@ -11,6 +11,10 @@ on: - 'ansible/vars.yml' workflow_dispatch: +permissions: + contents: read + id-token: write + jobs: prepare: runs-on: ubuntu-latest @@ -41,10 +45,6 @@ jobs: mcpu: neoverse-n1 runs-on: ${{ matrix.runner }} timeout-minutes: 150 - permissions: - contents: write - packages: write - id-token: write steps: - name: Checkout Repo @@ -56,7 +56,7 @@ jobs: if: ${{ github.event_name == 'workflow_dispatch' }} run: | SUFFIX=$(sudo nix run nixpkgs#yq -- ".postgres_release[\"postgres${{ matrix.postgres_version }}\"]" ansible/vars.yml | sed -E 's/[0-9\.]+(.*)$/\1/') - if [[ -z $SUFFIX ]] ; then + if [[ -z "$SUFFIX" ]] ; then echo "Version must include non-numeric characters if built manually." exit 1 fi @@ -67,7 +67,7 @@ jobs: - name: Generate common-nix.vars.pkr.hcl run: | PG_VERSION=$(sudo nix run nixpkgs#yq -- '.postgres_release["postgres'${{ matrix.postgres_version }}'"]' ansible/vars.yml) - PG_VERSION=$(echo $PG_VERSION | tr -d '"') # Remove any surrounding quotes + PG_VERSION=$(echo "$PG_VERSION" | tr -d '"') # Remove any surrounding quotes echo 'postgres-version = "'$PG_VERSION'"' > common-nix.vars.pkr.hcl # Ensure there's a newline at the end of the file echo "" >> common-nix.vars.pkr.hcl diff --git a/.github/workflows/check-shellscripts.yml b/.github/workflows/check-shellscripts.yml index b796bdb90..ab0f59b87 100644 --- a/.github/workflows/check-shellscripts.yml +++ b/.github/workflows/check-shellscripts.yml @@ -7,6 +7,9 @@ on: pull_request: workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 510de7be6..93a2afdc5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,6 +3,9 @@ name: Check merge requirements on: pull_request: +permissions: + contents: read + jobs: check-release-version: timeout-minutes: 5 diff --git a/.github/workflows/dockerhub-release-matrix.yml b/.github/workflows/dockerhub-release-matrix.yml index 72116abd1..ed7075d1d 100644 --- a/.github/workflows/dockerhub-release-matrix.yml +++ b/.github/workflows/dockerhub-release-matrix.yml @@ -9,7 +9,11 @@ on: - ".github/workflows/dockerhub-release-matrix.yml" - "ansible/vars.yml" workflow_dispatch: - + +permissions: + contents: read + id-token: write + jobs: prepare: runs-on: ubuntu-latest @@ -233,6 +237,10 @@ jobs: matrix: ${{ steps.combine.outputs.matrix }} publish: needs: combine_results + permissions: + contents: read + packages: write + id-token: write strategy: matrix: ${{ fromJson(needs.combine_results.outputs.matrix) }} uses: ./.github/workflows/mirror.yml diff --git a/.github/workflows/manual-docker-release.yml b/.github/workflows/manual-docker-release.yml index b9b66b305..8948324db 100644 --- a/.github/workflows/manual-docker-release.yml +++ b/.github/workflows/manual-docker-release.yml @@ -7,6 +7,10 @@ on: description: 'Optional. Postgres version to publish against, i.e. 15.1.1.78' required: false +permissions: + id-token: write + contents: read + jobs: prepare: runs-on: ubuntu-latest @@ -241,6 +245,10 @@ jobs: outputs: matrix: ${{ steps.combine.outputs.matrix }} publish: + permissions: + contents: read + packages: write + id-token: write needs: combine_results strategy: matrix: ${{ fromJson(needs.combine_results.outputs.matrix) }} diff --git a/.github/workflows/mirror-postgrest.yml b/.github/workflows/mirror-postgrest.yml index c84647c85..1658730f7 100644 --- a/.github/workflows/mirror-postgrest.yml +++ b/.github/workflows/mirror-postgrest.yml @@ -8,6 +8,9 @@ on: - ".github/workflows/mirror-postgrest.yml" - "common.vars*" +permissions: + contents: read + jobs: version: runs-on: ubuntu-latest diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml index 9f53e7fd7..28a068277 100644 --- a/.github/workflows/mirror.yml +++ b/.github/workflows/mirror.yml @@ -13,6 +13,9 @@ on: required: true type: string +permissions: + contents: read + jobs: mirror: runs-on: ubuntu-latest diff --git a/.github/workflows/publish-nix-pgupgrade-bin-flake-version.yml b/.github/workflows/publish-nix-pgupgrade-bin-flake-version.yml index 09e1663ce..bec85166e 100644 --- a/.github/workflows/publish-nix-pgupgrade-bin-flake-version.yml +++ b/.github/workflows/publish-nix-pgupgrade-bin-flake-version.yml @@ -44,9 +44,9 @@ jobs: id: process_release_version run: | VERSION=$(nix run nixpkgs#yq -- '.postgres_release["postgres'${{ matrix.postgres_version }}'"]' ansible/vars.yml) - VERSION=$(echo $VERSION | tr -d '"') # Remove any surrounding quotes + VERSION=$(echo "$VERSION" | tr -d '"') # Remove any surrounding quotes if [[ "${{ inputs.postgresVersion }}" != "" ]]; then - VERSION=${{ inputs.postgresVersion }} + VERSION="${{ inputs.postgresVersion }}" fi echo "version=$VERSION" >> "$GITHUB_OUTPUT" echo "major_version=$(echo $VERSION | cut -d'.' -f1)" >> "$GITHUB_OUTPUT" @@ -54,9 +54,9 @@ jobs: - name: Create a tarball containing the latest nix flake version working-directory: /tmp/ run: | - mkdir -p ${{ steps.process_release_version.outputs.major_version }} - echo $GITHUB_SHA > ${{ steps.process_release_version.outputs.major_version }}/nix_flake_version - tar -czvf pg_upgrade_bin.tar.gz ${{ steps.process_release_version.outputs.major_version }} + mkdir -p "${{ steps.process_release_version.outputs.major_version }}" + echo "$GITHUB_SHA" > "${{ steps.process_release_version.outputs.major_version }}/nix_flake_version" + tar -czvf pg_upgrade_bin.tar.gz "${{ steps.process_release_version.outputs.major_version }}" - name: configure aws credentials - staging uses: aws-actions/configure-aws-credentials@v1 @@ -66,7 +66,7 @@ jobs: - name: Upload pg_upgrade scripts to s3 staging run: | - aws s3 cp /tmp/pg_upgrade_bin.tar.gz s3://${{ secrets.ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/20.04.tar.gz + aws s3 cp /tmp/pg_upgrade_bin.tar.gz "s3://${{ secrets.ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/20.04.tar.gz" - name: Slack Notification on Failure if: ${{ failure() }} @@ -101,9 +101,9 @@ jobs: - name: Create a tarball containing the latest nix flake version working-directory: /tmp/ run: | - mkdir -p ${{ steps.process_release_version.outputs.major_version }} - echo $GITHUB_SHA > ${{ steps.process_release_version.outputs.major_version }}/nix_flake_version - tar -czvf pg_upgrade_bin.tar.gz ${{ steps.process_release_version.outputs.major_version }} + mkdir -p "${{ steps.process_release_version.outputs.major_version }}" + echo "$GITHUB_SHA" > "${{ steps.process_release_version.outputs.major_version }}/nix_flake_version" + tar -czvf pg_upgrade_bin.tar.gz "${{ steps.process_release_version.outputs.major_version }}" - name: configure aws credentials - prod uses: aws-actions/configure-aws-credentials@v1 @@ -113,7 +113,7 @@ jobs: - name: Upload pg_upgrade scripts to s3 prod run: | - aws s3 cp /tmp/pg_upgrade_bin.tar.gz s3://${{ secrets.PROD_ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/20.04.tar.gz + aws s3 cp /tmp/pg_upgrade_bin.tar.gz "s3://${{ secrets.PROD_ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/20.04.tar.gz" - name: Slack Notification on Failure if: ${{ failure() }} diff --git a/.github/workflows/publish-nix-pgupgrade-scripts.yml b/.github/workflows/publish-nix-pgupgrade-scripts.yml index ac18fa7ab..ece3e5966 100644 --- a/.github/workflows/publish-nix-pgupgrade-scripts.yml +++ b/.github/workflows/publish-nix-pgupgrade-scripts.yml @@ -51,9 +51,9 @@ jobs: id: process_release_version run: | VERSION=$(nix run nixpkgs#yq -- '.postgres_release["postgres'${{ matrix.postgres_version }}'"]' ansible/vars.yml) - VERSION=$(echo $VERSION | tr -d '"') # Remove any surrounding quotes + VERSION=$(echo "$VERSION" | tr -d '"') # Remove any surrounding quotes if [[ "${{ inputs.postgresVersion }}" != "" ]]; then - VERSION=${{ inputs.postgresVersion }} + VERSION="${{ inputs.postgresVersion }}" fi echo "version=$VERSION" >> "$GITHUB_OUTPUT" @@ -71,7 +71,7 @@ jobs: - name: Upload pg_upgrade scripts to s3 staging run: | - aws s3 cp /tmp/pg_upgrade_scripts.tar.gz s3://${{ secrets.ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/pg_upgrade_scripts.tar.gz + aws s3 cp /tmp/pg_upgrade_scripts.tar.gz "s3://${{ secrets.ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/pg_upgrade_scripts.tar.gz" - name: Slack Notification on Failure if: ${{ failure() }} @@ -102,9 +102,9 @@ jobs: id: process_release_version run: | VERSION=$(nix run nixpkgs#yq -- '.postgres_release["postgres'${{ matrix.postgres_version }}'"]' ansible/vars.yml) - VERSION=$(echo $VERSION | tr -d '"') # Remove any surrounding quotes + VERSION=$(echo "$VERSION" | tr -d '"') # Remove any surrounding quotes if [[ "${{ inputs.postgresVersion }}" != "" ]]; then - VERSION=${{ inputs.postgresVersion }} + VERSION="${{ inputs.postgresVersion }}" fi echo "version=$VERSION" >> "$GITHUB_OUTPUT" @@ -122,7 +122,7 @@ jobs: - name: Upload pg_upgrade scripts to s3 prod run: | - aws s3 cp /tmp/pg_upgrade_scripts.tar.gz s3://${{ secrets.PROD_ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/pg_upgrade_scripts.tar.gz + aws s3 cp /tmp/pg_upgrade_scripts.tar.gz "s3://${{ secrets.PROD_ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/pg_upgrade_scripts.tar.gz" - name: Slack Notification on Failure if: ${{ failure() }} diff --git a/.github/workflows/qemu-image-build.yml b/.github/workflows/qemu-image-build.yml index 8d929ee55..a2fd4b000 100644 --- a/.github/workflows/qemu-image-build.yml +++ b/.github/workflows/qemu-image-build.yml @@ -12,6 +12,10 @@ on: - 'ansible/vars.yml' workflow_dispatch: +permissions: + contents: read + id-token: write + jobs: prepare: runs-on: ubuntu-latest @@ -68,7 +72,7 @@ jobs: run: | curl -L https://github.com/mikefarah/yq/releases/download/v4.45.1/yq_linux_arm64 -o yq && chmod +x yq PG_VERSION=$(./yq '.postgres_release["postgres'${{ matrix.postgres_version }}'"]' ansible/vars.yml) - PG_VERSION=$(echo $PG_VERSION | tr -d '"') # Remove any surrounding quotes + PG_VERSION=$(echo "$PG_VERSION" | tr -d '"') # Remove any surrounding quotes echo 'postgres-version = "'$PG_VERSION'"' > common-nix.vars.pkr.hcl echo 'postgres-major-version = "'$POSTGRES_MAJOR_VERSION'"' >> common-nix.vars.pkr.hcl # Ensure there's a newline at the end of the file @@ -122,8 +126,8 @@ jobs: REPOSITORY: postgres-vm-image IMAGE_TAG: ${{ steps.process_release_version.outputs.version }} run: | - docker build -f Dockerfile-kubernetes -t $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:$IMAGE_TAG . - docker push $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:$IMAGE_TAG + docker build -f Dockerfile-kubernetes -t "$REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:$IMAGE_TAG" . + docker push "$REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:$IMAGE_TAG" # - name: Upload software manifest to s3 staging # run: | diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6dc194684..a218ef882 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -5,6 +5,11 @@ on: - develop pull_request: workflow_dispatch: + +permissions: + contents: read + id-token: write + jobs: prepare: runs-on: ubuntu-latest @@ -57,7 +62,7 @@ jobs: run: echo "POSTGRES_MAJOR_VERSION=${{ matrix.postgres_version }}" >> $GITHUB_ENV - name: Strip quotes from pg major and set env var run: | - stripped_version=$(echo ${{ matrix.postgres_version }} | sed 's/^"\(.*\)"$/\1/') + stripped_version=$(echo "${{ matrix.postgres_version }}" | sed 's/^"\(.*\)"$/\1/') echo "PGMAJOR=$stripped_version" >> $GITHUB_ENV - name: Generate common-nix.vars.pkr.hcl run: | diff --git a/.github/workflows/testinfra-nix.yml b/.github/workflows/testinfra-nix.yml index 14db4a7f2..c486dfc34 100644 --- a/.github/workflows/testinfra-nix.yml +++ b/.github/workflows/testinfra-nix.yml @@ -4,6 +4,10 @@ on: pull_request: workflow_dispatch: +permissions: + contents: read + id-token: write + jobs: prepare: runs-on: ubuntu-latest @@ -66,7 +70,7 @@ jobs: - name: Generate common-nix.vars.pkr.hcl run: | PG_VERSION=$(sudo nix run nixpkgs#yq -- '.postgres_release["postgres'${{ matrix.postgres_version }}'"]' ansible/vars.yml) - PG_VERSION=$(echo $PG_VERSION | tr -d '"') # Remove any surrounding quotes + PG_VERSION=$(echo "$PG_VERSION" | tr -d '"') # Remove any surrounding quotes echo 'postgres-version = "'$PG_VERSION'"' > common-nix.vars.pkr.hcl # Ensure there's a newline at the end of the file echo "" >> common-nix.vars.pkr.hcl