ci: fix and standardize checkouts in privileged workflows #27193
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nbusseneau
added
area/CI-improvement
In 7a9447d we reworked a few workflows to now be triggered by Ariane, however we missed some changes to make sure that they checkout actions and code from the correct contexts. In particular: - Gateway API / Ingress / Integration tests were checking out environment variables from the default branch instead of the appropriate context ref (all in all not a big deal and still safe, but could be annoying to troubleshoot later down the road). - Runtime tests were checking out environment variables from the PR branch instead of the appropriate context ref (this was a potential security issue), and then incorrectly pulling the default branch for executing tests instead of the appropriate PR branch context (so we were not testing what we expected). Fixes: 7a9447d Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
No idea why but the steps were not aligned properly here. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
Workflows running on PRs and based on `pull_request_target` and `workflow_dispatch` are executed in a privileged context (e.g. access to repository secrets), hence we take extra care not to execute anything coming from the PR directly in the context of the workflow steps, but instead always in a sandboxed or controlled environment (e.g. a managed Kubernetes cluster or LVH VMs). This commit standardizes and adds some context around which checkouts are trusted and which are not, and where to be start being careful with what the workflow steps are doing. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
nbusseneau
force-pushed
the
pr/fix-checkout-workflows
branch
from
ce8c2b6
to
953f3ad
Compare
|
/test |
nbusseneau
added
the
needs-backport/1.14
|
With the fix in, the runtime tests correctly pull the SHA from the PR, and thus the tests executed properly come from the PR |
brb
approved these changes
Aug 2, 2023
brlbil
approved these changes
Aug 2, 2023
sayboras
added
backport-pending/1.14
nbusseneau
added
needs-backport/1.12
needs-backport/1.13
maintainer-s-little-helper
bot
moved this from Needs backport from main
to Backport pending to v1.14
in 1.14.1
joamaki
removed
the
needs-backport/1.13
maintainer-s-little-helper
bot
moved this from Backport pending to v1.14
to Backport done to v1.14
in 1.14.1
maintainer-s-little-helper
bot
moved this from Needs backport from main
to Backport pending to v1.13
in 1.13.6
maintainer-s-little-helper
bot
moved this from Needs backport from main
to Backport pending to v1.12
in 1.12.13
joamaki
moved this from Backport pending to v1.12
to Needs backport from main
in 1.12.13
YutaroHayakawa
added
backport-done/1.13
joestringer
added
needs-backport/1.12
backport/author
|
cc @nbusseneau there were conflicts for 1.12, so the PR got stuck in pending state. I set |
joestringer
moved this from Backport pending to v1.12
to Needs backport from main
in 1.12.14
joestringer
moved this from Backport pending to v1.13
to Backport done to v1.13
in 1.13.7
nbusseneau
added
backport-done/1.12
jrajahalme
moved this from Needs backport from main
to Backport done to v1.12
in 1.12.15
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please see per commit. This PR does not touch upon non-privileged workflows (those that run on
pull_requesttriggers), we might want to address them in a separate PR just to clean them up but there are no security concerns or specific issues to address on these so it's not urgent.