Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not sign patched artifacts at PR time #691

Merged
merged 9 commits into from
Jan 6, 2024
Merged

Do not sign patched artifacts at PR time #691

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
cb2f66c
Do not sign patched artifacts at PR time
bryan-aguilar Jan 5, 2024
8be0ba5
Fix dir structure
bryan-aguilar Jan 5, 2024
b6764d0
Just don't provide keys to the workflow
bryan-aguilar Jan 5, 2024
7c2b850
Set env vars conditionally
bryan-aguilar Jan 5, 2024
bbc5cc9
Double quote
bryan-aguilar Jan 5, 2024
e15b4ac
Use truthy statement instead
bryan-aguilar Jan 5, 2024
7e65adc
Use env vars to avoid inject attacks
bryan-aguilar Jan 5, 2024
a38ff0d
Delete unncessary workflow
bryan-aguilar Jan 5, 2024
60cd868
Use doublequote for substitution
bryan-aguilar Jan 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 15 additions & 20 deletions .github/actions/patch-dependencies/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,26 @@ inputs:
description: "If the workflow should run tests of the dependencies. Anything different than false will evaluate to true"
gpg_private_key:
description: "The gpg key used to sign the artifacts"
required: true
required: false
gpg_password:
description: "The gpg key password"
required: true
required: false
runs:
using: "composite"
steps:
- name: set environment variables
env:
INPUT_KEY: ${{ inputs.gpg_private_key }}
INPUT_PASSWORD: ${{ inputs.gpg_password }}
Comment on lines +27 to +28
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why can't you reference inputs.gpg_private_key directly?

i.e.: why not

echo 'GPG_PRIVATE_KEY=${{ inputs.gpg_private_key }}' >> $GITHUB_ENV

btw, I think you should use double quote and not single quote
with single quote the env var GPG_PRIVATE_KEY will have value $INPUT_KEY literally.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A malicious actor could technically change the inputs at PR time

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TIL

shell: bash
run: |
if [[ ! -z "$INPUT_KEY" ]]; then
echo "GPG_PRIVATE_KEY=$INPUT_KEY" >> $GITHUB_ENV
fi
if [[ ! -z "$INPUT_PASSWORD" ]]; then
echo "GPG_PASSWORD=$INPUT_PASSWORD" >> $GITHUB_ENV
fi

- name: check patches
run: |
if [[ -f .github/patches/opentelemetry-java.patch ]]; then
Expand All @@ -48,19 +61,13 @@ runs:
with:
arguments: build publishToMavenLocal
build-root-directory: opentelemetry-java
env:
GPG_PRIVATE_KEY: ${{ inputs.gpg_private_key }}
GPG_PASSWORD: ${{ inputs.gpg_password }}

- name: Build opentelemetry-java
uses: gradle/gradle-build-action@v2
if: ${{ env.patch_otel_java == 'true' && inputs.run_tests == 'false' }}
with:
arguments: publishToMavenLocal
build-root-directory: opentelemetry-java
env:
GPG_PRIVATE_KEY: ${{ inputs.gpg_private_key }}
GPG_PASSWORD: ${{ inputs.gpg_password }}

- name: cleanup opentelemetry-java
run: rm -rf opentelemetry-java
Expand All @@ -73,19 +80,13 @@ runs:
with:
arguments: build publishToMavenLocal
build-root-directory: opentelemetry-java-contrib
env:
GPG_PRIVATE_KEY: ${{ inputs.gpg_private_key }}
GPG_PASSWORD: ${{ inputs.gpg_password }}

- name: Build opentelemetry-java-contrib
uses: gradle/gradle-build-action@v2
if: ${{ env.patch_otel_java_contrib == 'true' && inputs.run_tests == 'false' }}
with:
arguments: publishToMavenLocal
build-root-directory: opentelemetry-java-contrib
env:
GPG_PRIVATE_KEY: ${{ inputs.gpg_private_key }}
GPG_PASSWORD: ${{ inputs.gpg_password }}

- name: cleanup opentelemetry-java-contrib
run: rm -rf opentelemetry-java-contrib
Expand All @@ -98,19 +99,13 @@ runs:
with:
arguments: check -x spotlessCheck publishToMavenLocal
build-root-directory: opentelemetry-java-instrumentation
env:
GPG_PRIVATE_KEY: ${{ inputs.gpg_private_key }}
GPG_PASSWORD: ${{ inputs.gpg_password }}

- name: Build opentelemetry java instrumentation
uses: gradle/gradle-build-action@v2
if: ${{ env.patch_otel_java_instrumentation == 'true' && inputs.run_tests == 'false' }}
with:
arguments: publishToMavenLocal
build-root-directory: opentelemetry-java-instrumentation
env:
GPG_PRIVATE_KEY: ${{ inputs.gpg_private_key }}
GPG_PASSWORD: ${{ inputs.gpg_password }}

- name: cleanup opentelmetry-java-instrumentation
run: rm -rf opentelemetry-java-instrumentation
Expand Down
5 changes: 0 additions & 5 deletions .github/workflows/pr-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,6 @@ jobs:
- uses: ./.github/actions/patch-dependencies
with:
run_tests: "true"
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
gpg_password: ${{ secrets.GPG_PASSPHRASE }}

build:
name: Build on ${{ matrix.os }}
Expand Down Expand Up @@ -76,9 +74,6 @@ jobs:
- name: Publish patched dependencies to maven local
uses: ./.github/actions/patch-dependencies
if: ${{ matrix.os != 'windows-latest' }} # Skip patch on windows as it is not possible to build opentelemetry-java on windows
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
gpg_password: ${{ secrets.GPG_PASSPHRASE }}

- name: Build with Gradle with Integration tests
uses: gradle/gradle-build-action@v2
Expand Down
Loading