New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: fix and standardize checkouts in privileged workflows #27193
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nbusseneau
added
area/CI-improvement
Topic or proposal to improve the Continuous Integration workflow
release-note/ci
This PR makes changes to the CI.
labels
Aug 1, 2023
In 7a9447d we reworked a few workflows to now be triggered by Ariane, however we missed some changes to make sure that they checkout actions and code from the correct contexts. In particular: - Gateway API / Ingress / Integration tests were checking out environment variables from the default branch instead of the appropriate context ref (all in all not a big deal and still safe, but could be annoying to troubleshoot later down the road). - Runtime tests were checking out environment variables from the PR branch instead of the appropriate context ref (this was a potential security issue), and then incorrectly pulling the default branch for executing tests instead of the appropriate PR branch context (so we were not testing what we expected). Fixes: 7a9447d Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
No idea why but the steps were not aligned properly here. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
Workflows running on PRs and based on `pull_request_target` and `workflow_dispatch` are executed in a privileged context (e.g. access to repository secrets), hence we take extra care not to execute anything coming from the PR directly in the context of the workflow steps, but instead always in a sandboxed or controlled environment (e.g. a managed Kubernetes cluster or LVH VMs). This commit standardizes and adds some context around which checkouts are trusted and which are not, and where to be start being careful with what the workflow steps are doing. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
nbusseneau
force-pushed
the
pr/fix-checkout-workflows
branch
from
August 1, 2023 15:46
ce8c2b6
to
953f3ad
Compare
/test |
nbusseneau
added
the
needs-backport/1.14
This PR / issue needs backporting to the v1.14 branch
label
Aug 1, 2023
brb
approved these changes
Aug 2, 2023
brlbil
approved these changes
Aug 2, 2023
sayboras
added
backport-pending/1.14
The backport for Cilium 1.14.x for this PR is in progress.
and removed
needs-backport/1.14
This PR / issue needs backporting to the v1.14 branch
labels
Aug 3, 2023
nbusseneau
added
needs-backport/1.12
needs-backport/1.13
This PR / issue needs backporting to the v1.13 branch
labels
Aug 3, 2023
maintainer-s-little-helper
bot
moved this from Needs backport from main
to Backport pending to v1.14
in 1.14.1
Aug 3, 2023
joamaki
removed
the
needs-backport/1.13
This PR / issue needs backporting to the v1.13 branch
label
Aug 9, 2023
maintainer-s-little-helper
bot
moved this from Backport pending to v1.14
to Backport done to v1.14
in 1.14.1
Aug 9, 2023
maintainer-s-little-helper
bot
moved this from Needs backport from main
to Backport pending to v1.13
in 1.13.6
Aug 9, 2023
maintainer-s-little-helper
bot
moved this from Needs backport from main
to Backport pending to v1.12
in 1.12.13
Aug 9, 2023
joamaki
moved this from Backport pending to v1.12
to Needs backport from main
in 1.12.13
Aug 10, 2023
YutaroHayakawa
added
backport-done/1.13
The backport for Cilium 1.13.x for this PR is done.
and removed
backport-pending/1.13
The backport for Cilium 1.13.x for this PR is in progress.
labels
Aug 17, 2023
joestringer
added
needs-backport/1.12
backport/author
The backport will be carried out by the author of the PR.
and removed
backport-pending/1.12
labels
Aug 25, 2023
cc @nbusseneau there were conflicts for 1.12, so the PR got stuck in pending state. I set |
joestringer
moved this from Backport pending to v1.12
to Needs backport from main
in 1.12.14
Aug 25, 2023
joestringer
moved this from Backport pending to v1.13
to Backport done to v1.13
in 1.13.7
Aug 25, 2023
nbusseneau
added
backport-done/1.12
The backport for Cilium 1.12.x for this PR is done.
and removed
needs-backport/1.12
labels
Sep 27, 2023
jrajahalme
moved this from Needs backport from main
to Backport done to v1.12
in 1.12.15
Oct 17, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/CI-improvement
Topic or proposal to improve the Continuous Integration workflow
backport/author
The backport will be carried out by the author of the PR.
backport-done/1.12
The backport for Cilium 1.12.x for this PR is done.
backport-done/1.13
The backport for Cilium 1.13.x for this PR is done.
backport-done/1.14
The backport for Cilium 1.14.x for this PR is done.
release-note/ci
This PR makes changes to the CI.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please see per commit. This PR does not touch upon non-privileged workflows (those that run on
pull_request
triggers), we might want to address them in a separate PR just to clean them up but there are no security concerns or specific issues to address on these so it's not urgent.