Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: fix and standardize checkouts in privileged workflows #27193

Merged
merged 3 commits into from
Aug 2, 2023
Merged

ci: fix and standardize checkouts in privileged workflows #27193

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
24251bb
ci: fix new Ariane-based workflows not using correct context
nbusseneau Aug 1, 2023
be2b725
ci: fix incorrect indentation in various workflows
nbusseneau Aug 1, 2023
953f3ad
ci: standardize / clarify comments around privileged checkouts
nbusseneau Aug 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 4 additions & 2 deletions .github/workflows/build-images-base.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
environment: release-base-images
runs-on: ubuntu-20.04
steps:
- name: Checkout main branch to access local actions
- name: Checkout default branch (trusted)
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
ref: ${{ github.event.repository.default_branch }}
Expand All @@ -46,7 +46,9 @@ jobs:
- name: Install Cosign
uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1

- name: Checkout Source Code
# Warning: since this is a privileged workflow, subsequent workflow job
# steps must take care not to execute untrusted code.
- name: Checkout pull request branch (NOT TRUSTED)
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
persist-credentials: false
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/build-images-ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ jobs:
dockerfile: ./images/cilium-docker-plugin/Dockerfile

steps:
- name: Checkout main branch to access local actions
- name: Checkout default branch (trusted)
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
ref: ${{ github.event.repository.default_branch }}
Expand Down Expand Up @@ -94,7 +94,9 @@ jobs:
echo tag=${{ github.sha }} >> $GITHUB_OUTPUT
fi

- name: Checkout Source Code
# Warning: since this is a privileged workflow, subsequent workflow job
# steps must take care not to execute untrusted code.
- name: Checkout pull request branch (NOT TRUSTED)
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
persist-credentials: false
Expand Down
9 changes: 5 additions & 4 deletions .github/workflows/conformance-aks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ jobs:
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- name: Checkout context ref
- name: Checkout context ref (trusted)
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
ref: ${{ inputs.context-ref || github.sha }}
Expand Down Expand Up @@ -116,7 +116,7 @@ jobs:
matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}}

steps:
- name: Checkout context ref
- name: Checkout context ref (trusted)
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
ref: ${{ inputs.context-ref || github.sha }}
Expand Down Expand Up @@ -220,8 +220,9 @@ jobs:
until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done
done

# Checkout source code to install Cilium using local Helm chart.
- name: Checkout code
# Warning: since this is a privileged workflow, subsequent workflow job
# steps must take care not to execute untrusted code.
- name: Checkout pull request branch (NOT TRUSTED)
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
ref: ${{ steps.vars.outputs.sha }}
Expand Down
9 changes: 5 additions & 4 deletions .github/workflows/conformance-aws-cni.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ jobs:
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- name: Checkout context ref
- name: Checkout context ref (trusted)
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
ref: ${{ inputs.context-ref || github.sha }}
Expand Down Expand Up @@ -115,7 +115,7 @@ jobs:
matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}}

steps:
- name: Checkout context ref
- name: Checkout context ref (trusted)
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
ref: ${{ inputs.context-ref || github.sha }}
Expand Down Expand Up @@ -219,8 +219,9 @@ jobs:
until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done
done

# Checkout source code to install Cilium using local Helm chart.
- name: Checkout code
# Warning: since this is a privileged workflow, subsequent workflow job
# steps must take care not to execute untrusted code.
- name: Checkout pull request branch (NOT TRUSTED)
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
ref: ${{ steps.vars.outputs.sha }}
Expand Down