Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🛡️ Security | Upgrade to latest dependencies in GHA & tweak installs/build #7

Merged
merged 5 commits into from Sep 19, 2023
Merged

🛡️ Security | Upgrade to latest dependencies in GHA & tweak installs/build #7

merged 5 commits into from Sep 19, 2023

Conversation

Fdawgs
Copy link
Contributor

@Fdawgs Fdawgs commented Sep 18, 2023
edited

Description

This PR:

  • Bumps GitHub Actions to their latest major versions, which now use Node 16 internally instead of Node 12 (EOL as of end of April 2022, no longer receives security updates):
    • Changelog for actions/checkout can be found here
    • Releases for actions/setup-node can be found here

References

N/A

Testing

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in Slab
  • I have updated or added public documentation
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not main

@Fdawgs
Copy link
Contributor Author

Fdawgs commented Sep 18, 2023
edited

There's probably a few more things that could be done to beef up CI security:

  • Declares the minimum permissions for CI workflows to run at the workflow level, following principle of least privilege; see related GitHub security post
  • Removes Git credentials/SSH keys after checkout as a security precaution by setting persist-credentials to false for actions/checkout action (obviously only when not using them)

@zrosenbauer
Copy link
Member

zrosenbauer commented Sep 18, 2023
edited

@Fdawgs good looking on the updating the actions, bad C+P on our end 😄

I'll take a look at the permissions.

On the npm install vs ci I think thats the issue I hit... with the peerDep

@Fdawgs
Copy link
Contributor Author

Fdawgs commented Sep 18, 2023

On the npm install vs ci I think thats the issue I hit... with the peerDep

Gotcha, I can see that now in the CI test failure, will revert.

@zrosenbauer zrosenbauer changed the title bump github actions 🛡️ Security | Upgrade to latest dependencies in GHA & tweak installs/build Sep 18, 2023
@zrosenbauer zrosenbauer added patch Bug fixes that are backwards compatible. security Security issue or fix. labels Sep 18, 2023
@zrosenbauer
Copy link
Member

@Fdawgs looks like its still failing (no idea why tbh) also made changes to deploy process so might conflict

I'm happy to merge just the updates to the GHA actions and do the npm changes in diff PR?

zrosenbauer and others added 2 commits September 19, 2023 13:08
@zrosenbauer
Merge branch 'main' into ci/github-actions
2558976 
Signed-off-by: Zac Rosenbauer <zacrosenbauer@gmail.com>
@zrosenbauer
test removing the --ignore-scripts
247cec4 
Signed-off-by: Zac Rosenbauer <zac@joggr.io>
zrosenbauer
zrosenbauer requested changes Sep 19, 2023
View reviewed changes
Copy link
Member

@zrosenbauer zrosenbauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Until we can figure out the npm i I don't want to merge, we can merge in the GHA upgrades though

@Fdawgs
Copy link
Contributor Author

Fdawgs commented Sep 19, 2023

@Fdawgs looks like its still failing (no idea why tbh) also made changes to deploy process so might conflict

I'm happy to merge just the updates to the GHA actions and do the npm changes in diff PR?

sounds good, will update PR.

@zrosenbauer zrosenbauer merged commit 09b9cf6 into joggrdocs:main Sep 19, 2023
1 check passed
@Fdawgs Fdawgs deleted the ci/github-actions branch September 20, 2023 03:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zrosenbauer zrosenbauer zrosenbauer approved these changes

Assignees
No one assigned
Labels
patch Bug fixes that are backwards compatible. security Security issue or fix.
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Fdawgs @zrosenbauer