Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Importing JosiahSiegel GHA: [email protected] #16157

Closed
emvaldes opened this issue Oct 8, 2024 · 35 comments · Fixed by #16728
Closed

Importing JosiahSiegel GHA: [email protected] #16157

emvaldes opened this issue Oct 8, 2024 · 35 comments · Fixed by #16728
Assignees
Labels
DevSecOps Team Aq DevSecOps work label github-actions Tracking GitHub Actions items reportstream tech-debt Anything that is purely a technical issue and does not affect functionality
Milestone

Comments

@emvaldes
Copy link
Collaborator

emvaldes commented Oct 8, 2024

Profile: JosiahSiegel
Status: Importing (In-Progress)

Objective: Determine if test string checksum valid or invalid.

  1. Generate a checksum from either a string or shell command (use command substitution: $()).
  2. Validate if checksum is identical to input (even across multiple jobs), using a key to link the validation attempt with the correct generated checksum.
    a. Validation is possible across jobs since the checksum is uploaded as a workflow artifact

Target: [email protected] : ebdf8c1
Latest: checksum-validate-action (806ce2fa215d520071c6d4faf8d2588a65e23749 )

Note: Further development was made and not referenced/used in the project.

The checksum-validate-action is a GitHub Action designed to generate and validate checksums from strings or command outputs within your workflows. This functionality is particularly useful for ensuring data integrity and consistency across different stages of your pipeline.

Key Features:

  • Checksum Generation: Creates a SHA-256 checksum from a provided string or the output of a shell command.
  • Checksum Validation: Compares the generated checksum against a previously stored value to verify data integrity.
  • Cross-Job Validation: Supports validation across multiple jobs by uploading the checksum as a workflow artifact, facilitating consistency checks throughout the pipeline.

Inputs:

  • key (required): A unique identifier to associate the checksum with a specific validation context.
  • input (required): The string or command output to generate the checksum from.
  • validate (optional, default: false): Indicates whether to perform a validation check against a previously generated checksum.
  • fail-invalid (optional, default: false): Determines if the action should fail the step when the checksum validation is unsuccessful.

Outputs:

  • valid: A boolean indicating whether the checksum validation was successful.

Technical Evaluation:

The action is implemented as a composite action, executing a series of shell commands to perform checksum operations. The workflow includes the following steps:

  1. Checksum Generation: Utilizes the sha256sum command to generate a SHA-256 checksum from the provided input.
  2. Artifact Management:
    • Upload: If not in validation mode, the generated checksum is saved to a file and uploaded as a workflow artifact.
    • Download: In validation mode, the action downloads the previously uploaded checksum artifact for comparison.
  3. Validation: Compares the newly generated checksum with the downloaded artifact to determine consistency.
  4. Output and Failure Handling: Sets the valid output based on the comparison result and optionally fails the step if validation fails and fail-invalid is set to true.

Usage Example:

jobs:
  generate-checksums:
    name: Generate checksum
    runs-on: ubuntu-latest
    steps:
      - uses: actions/[email protected]
      - name: Generate checksum of string
        uses: JosiahSiegel/checksum-validate-action@v1
        with:
          key: test string
          input: hello world
      - name: Generate checksum of command output
        uses: JosiahSiegel/checksum-validate-action@v1
        with:
          key: test command
          input: $(cat action.yml)

  validate-checksums:
    name: Validate checksum
    needs: generate-checksums
    runs-on: ubuntu-latest
    steps:
      - uses: actions/[email protected]
      - name: Validate checksum of valid string
        id: valid-string
        uses: JosiahSiegel/checksum-validate-action@v1
        with:
          key: test string
          validate: true
          fail-invalid: true
          input: hello world
      - name: Validate checksum of valid command output
        id: valid-command
        uses: JosiahSiegel/checksum-validate-action@v1
        with:
          key: test command
          validate: true
          fail-invalid: true
          input: $(cat action.yml)
      - name: Get outputs
        run: |
          echo ${{ steps.valid-string.outputs.valid }}
          echo ${{ steps.valid-command.outputs.valid }}

Relevance to Your Pipeline:

If your pipeline involves scenarios where data integrity verification is crucial—such as ensuring that files or outputs remain unchanged across different stages or jobs—this action provides a straightforward method to implement such checks. It can help detect unintended modifications, ensuring consistency and reliability in your workflows. However, if your pipeline does not require such integrity checks or if similar validations are already implemented through other means, this action may be considered non-essential.

Conclusion:

The checksum-validate-action offers a practical solution for generating and validating checksums within GitHub workflows, enhancing data integrity and consistency. Its utility depends on your pipeline's specific requirements for data verification. Assessing your current processes for ensuring data integrity will help determine the action's relevance to your workflows.

@emvaldes emvaldes added DevOps Work Type label to flag work related to DevOps DevSecOps Team Aq DevSecOps work label github-actions Tracking GitHub Actions items reportstream tech-debt Anything that is purely a technical issue and does not affect functionality labels Oct 8, 2024
@emvaldes emvaldes self-assigned this Oct 8, 2024
@emvaldes emvaldes added this to the in progress milestone Oct 8, 2024
@emvaldes emvaldes changed the title Copy of Importing JosiahSiegel GHA "AzViz-action" Importing JosiahSiegel GHA "checksum-validate-action" Oct 8, 2024
@emvaldes emvaldes changed the title Importing JosiahSiegel GHA "checksum-validate-action" Importing JosiahSiegel GHA: [email protected] Oct 8, 2024
@emvaldes
Copy link
Collaborator Author

emvaldes commented Oct 8, 2024

This external repo is now inserted in the file structure at: .github/actions/checksum-validate-action in the importing-gha branch.

@emvaldes
Copy link
Collaborator Author

emvaldes commented Oct 12, 2024

$GITHUB_STEP_SUMMARY
$GITHUB_OUTPUT
env.sha
github.sha
inputs.input
inputs.key
matrix.os
steps.input_sha.outputs.sha
steps.valid-command.outputs.valid
steps.valid-string.outputs.valid
steps.validate_checksum.outputs.valid

@emvaldes
Copy link
Collaborator Author

emvaldes commented Oct 22, 2024

I will be listing each step that must be performed in order to complete the importing of an external GitHub Action repository. Note: Follow these steps as a guideline but it will require additional steps depending on each project.

A personal/professional comment I would like to point out. I do not believe this is the correct approach for importing these external/remote GitHub Actions. Nevertheless, sometimes what is correct is not what is needed/required so it's all based on context. Nevertheless, my approach would always tend to be like follows:

Perform this specific set of tasks once:

  1. Create a fork of the target External/Remote GitHub Repository into our GitHub Organization.
  2. Define a default branch (e.g.: RELEASE branch) to be used and active when its invoked.
  3. Determine the trusted release (hash commit) which we would always control and maintain.
  4. Replace/Update any self-references to the upstream repository with the GitHub Organization entity.
  5. Make sure to Generate/Update a Default-Release (e.g. latest, etc.) TAG to be used consistently and avoid having to update any references to this release (e.g.: latest). For example:
    uses: CDCgov/devsecops/checksum-validate@latest

Perform these tasks periodically or when upstream updates are published:

  1. Periodically maintain an updated version of your forked repo with the remote/origin to it so you can be up to speed for existing progressive development.
  2. Replace/Update any self-references to the upstream repository with the GitHub Organization entity.
  3. Perform some testings on the latest updates and update your release-branch with these enhancements.
  4. Update your default-release TAG with these latest changes (no need to update references).

Conclusion: These are significantly less time-consuming and more effort-efficient tasks to manage development workflows upstream and yet maintain the desired/required level of control and safety to our project.
Nevertheless, it's critical that we maintain and support a unified vision so we will have to focus on abiding to the existing guideline so that we all can succeed on our role.

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

1. Always checkout the MAIN branch:

$ git checkout main ;

Switched to branch 'main'
Your branch is up to date with 'origin/main'.

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

2. Always update the MAIN branch:

$ git pull ;

remote: Enumerating objects: ?, done.
remote: Counting objects: 100% (?/?), done.
remote: Compressing objects: 100% (?/?), done.
remote: Total ? (delta ?), reused ? (delta ?), pack-reused 0 (from 0)
Unpacking objects: 100% (?/?), ?.? KiB | ?.? MiB/s, done.
From https://github.com/CDCgov/prime-reportstream
   abc..xyz  main    -> origin/main
. . .
Updating abc..xyz
Fast-forward
. . .

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

3. Create local branch using pattern-naming convention:

$ git checkout -b devsecops/<user-id>/<github-action> ;

Switched to a new branch 'devsecops/<user-id>/<github-action>'

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

4. Push existing branch state to remote:

$ git push --set-upstream origin devsecops/<user-id>/<github-action> ;

Total 0 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
remote: 
remote: Create a pull request for 'devsecops/<user-id>/<github-action>' on GitHub by visiting:
remote: https://github.com/CDCgov/prime-reportstream/pull/new/devsecops/<user-id>/<github-action>
remote: 
remote: GitHub found ? vulnerabilities on CDCgov/prime-reportstream's default branch (? high, ? low).
        To find out more, visit:
remote: https://github.com/CDCgov/prime-reportstream/security/dependabot
remote: 
To https://github.com/CDCgov/prime-reportstream.git
 * [new branch]  devsecops/<user-id>/<github-action> -> devsecops/<user-id>/<github-action>
branch 'devsecops/<user-id>/<github-action>' 
set up to track 'origin/devsecops/<user-id>/<github-action>'.

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

5. Create target container (filesystem folder) for the external/remote GitHub Action:

$ cd .github/actions/ ; $ mkdir <github-action>  && cd $_ ;
$ ls -al ;
total 0
drwxr-xr-x   2 <user-id>  staff   64 Dec  5 14:51 .
drwxr-xr-x  26 <user-id>  staff  832 Dec  5 14:51 ..
$ pwd ;
/repos/hhs/cdc/prime-reportstream/.github/actions/<github-action>

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

6. Clone the external/remote repository GitHub Action:

$ git clone https://github.com/<vendor-id>/<github-action>.git . ;

Cloning into '.'...
remote: Enumerating objects: 143, done.
remote: Counting objects: 100% (80/80), done.
remote: Compressing objects: 100% (52/52), done.
remote: Total 143 (delta 38), reused 46 (delta 24), pack-reused 63 (from 1)
Receiving objects: 100% (143/143), 52.98 KiB | 645.00 KiB/s, done.
Resolving deltas: 100% (47/47), done.

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

7. Listing local repository file structure

$ tree -a ;
.
├── .git ...
├── .github
│   ├── dependabot.yml
│   └── workflows
│       └── test_action.yml
├── README.md
└── action.yml

19 directories, 32 files

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

8. Listing local repository log:

$ git log ;

commit 806ce2fa215d520071c6d4faf8d2588a65e23749 (HEAD -> main, origin/main, origin/HEAD)
Merge: abcb2c6 59444f8
Author: <vendor-id> <5522990+<vendor-id>@users.noreply.github.com>
Date:   Fri Aug 2 08:36:54 2024 -0400

   Merge pull request #31 from <vendor-id>/dependabot/github_actions/actions/download-artifact-4.1.8
   Bump actions/download-artifact from 4.1.7 to 4.1.8
. . .

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

9. Checkout target hash-commit (referenced in the PRIME-ReportStream application):

$ git checkout ebdf8c12c00912d18de93c483b935d51582f9236 ;

Note: switching to 'ebdf8c12c00912d18de93c483b935d51582f9236'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

HEAD is now at ebdf8c1 Merge pull request 
#16 from <vendor-id>/dependabot/github_actions/actions/download-artifact-4.1.2

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

10. Listing GitHub Action (e.g.: action.yaml) change log:

((v1.5)) $ git log -p ./action.yml ;

commit 20fe3f0b1e20bf44f7c1c0dde8b7e6798ac123e7
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Fri Feb 16 14:57:08 2024 +0000

    Bump actions/download-artifact from 4.1.0 to 4.1.2
    
    Bumps [actions/download-artifact](https://github.com/actions/download-artifact) 
    from 4.1.0 to 4.1.2.
    - [Release notes](https://github.com/actions/download-artifact/releases)
    - [Commits](https://github.com/actions/download-artifact/compare/f44cd7b...eaceaf8)
    
    ---
    updated-dependencies:
    - dependency-name: actions/download-artifact
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...
    
    Signed-off-by: dependabot[bot] <[email protected]>

diff --git a/action.yml b/action.yml
index 149b759..1ad3023 100644
--- a/action.yml
+++ b/action.yml
@@ -77,7 +77,7 @@ runs:
     # VALIDATE FILE START
     - name: Download checksum file
       if: inputs.validate == 'true'
-      uses: actions/download-artifact@f44cd7b
+      uses: actions/download-artifact@eaceaf8
       with:
         name: "${{ github.sha }}-${{ inputs.key }}.txt"
 . . .

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

11. Purge non-usable components (e.g.: .git and .github folders)

$ rm -rf .git .github ;
$ ls -al ;
total 16
drwxr-xr-x   4 <user-id>  staff   128 Dec  5 15:00 .
drwxr-xr-x  26 <user-id>  staff   832 Dec  5 14:51 ..
-rw-r--r--   1 <user-id>  staff  2475 Dec  5 14:52 README.md
-rw-r--r--   1 <user-id>  staff  3358 Dec  5 14:54 action.yml

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

12. Modify all the configuration files that are needed/required to be updated:

$ git status ;

On branch devsecops/<user-id>/<github-action>
Your branch is up to date with 'origin/devsecops/<user-id>/<github-action>'.

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
	modified:   dependabot.yml

Untracked files:
  (use "git add <file>..." to include in what will be committed)
	actions/<github-action>/

no changes added to commit (use "git add" and/or "git commit -a")

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

13 . Modify the dependabot.yaml file and review its changes:

$ git log -p ./dependabot.yml ;
commit fba4665dd899767e4ea4da2c6cc5418bef835037
Author: Eduardo Valdes <[email protected]>
Date:   Thu Dec 5 15:06:13 2024 -0700

    Integrating the <github-action> GitHub Action into project

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 498f787b1..6365ac269 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -125,6 +125,11 @@ updates:
     schedule:
       interval: "daily"
 
+  - package-ecosystem: "github-actions"
+    directory: "/.github/actions/<github-action>"
+    schedule:
+      interval: "daily"
+
   # Frontend
   - package-ecosystem: "npm"
     directory: "/frontend-react"
. . .

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

14. Modify if need/required the .github/actions/checksum-validate/action.yaml file and review its changes:

$ git log ./github/actions/<github-action>/action.yml ;

commit fba4665dd899767e4ea4da2c6cc5418bef835037
Author: Eduardo Valdes <[email protected]>
Date:   Thu Dec 5 15:06:13 2024 -0700

    Integrating the <github-action> GitHub Action into project
. . .

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

15. Adding and listing all performed changes:

$ git add . ;
$ git status ;

On branch devsecops/<user-id>/<github-action>
Your branch is up to date with 'origin/devsecops/<user-id>/<github-action>'.

Changes to be committed:
  (use "git restore --staged <file>..." to unstage)
	new file:   actions/<github-action>/README.md
	new file:   actions/<github-action>/action.yml
	modified:   dependabot.yml

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

16. Provide a meaningful comment:

$ git commit -m "Integrating the <github-action> GitHub Action into project" ;

[devsecops/<user-id>/<github-action> fba4665dd] 
                                     Integrating the <github-action> GitHub Action into project
 3 files changed, 210 insertions(+)
 create mode 100644 .github/actions/<github-action>/README.md
 create mode 100644 .github/actions/<github-action>/action.yml

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

17. Listing current local repository status:

$ git status ;

On branch devsecops/<user-id>/<github-action>
Your branch is ahead of 'origin/devsecops/<user-id>/<github-action>' by 1 commit.
  (use "git push" to publish your local commits)

nothing to commit, working tree clean

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

18. Push upstream the performed changes:

$ git push ;

Enumerating objects: 12, done.
Counting objects: 100% (12/12), done.
Delta compression using up to 12 threads
Compressing objects: 100% (8/8), done.
Writing objects: 100% (8/8), 2.44 KiB | 2.44 MiB/s, done.
Total 8 (delta 4), reused 0 (delta 0), pack-reused 0 (from 0)
remote: Resolving deltas: 100% (4/4), completed with 4 local objects.
remote: 
remote: GitHub found 3 vulnerabilities on CDCgov/prime-reportstream's default branch (2 high, 1 low).
        To find out more, visit:
remote: https://github.com/CDCgov/prime-reportstream/security/dependabot
remote: 
To https://github.com/CDCgov/prime-reportstream.git
   e564319f2..fba4665dd  devsecops/<user-id>/<github-action> -> devsecops/<user-id>/<github-action>

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

19. Search for all references to this package across the GitHub Workflows and Actions:

$ find . -type f | xargs -I {} egrep -Hni "<vendor-id>/<github-action>" {} ;

./actions/<github-action>/README.md:3:[![Test Action]
(https://github.com/<vendor-id>/<github-action>/actions/workflows/test_action.yml/badge.svg)]
(https://github.com/<vendor-id>/<github-action>/actions/workflows/test_action.yml)
./actions/<github-action>/README.md:22:        uses: <vendor-id>/<github-action>@<package-version>
./actions/<github-action>/README.md:28:        uses: <vendor-id>/<github-action>@<package-version>
./actions/<github-action>/README.md:43:        uses: <vendor-id>/<github-action>@<package-version>
./actions/<github-action>/README.md:52:        uses: <vendor-id>/<github-action>@<package-version>

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

20. Make sure these external references in the documentation point to the local repository:
Note: Since we are currently using the strategy to target hash-commits, we need to make sure we reflect these specific hashes to reinforce awareness on this issue.

$ git log -p ./README.md ;

commit 58cdc60ac91f7a688a79bb1c8ceb278e73af0e4f (
HEAD -> devsecops/<user-id>/<github-action>, origin/devsecops/<user-id>/<github-action>
)
Author: Eduardo Valdes <[email protected]>
Date:   Thu Dec 5 15:15:57 2024 -0700

    Correcting all external references to the checksum-validate-action GitHub Action

diff --git a/.github/actions/<github-action>/README.md b/.github/actions/<github-action>/README.md
index e6e62a4ca..b228bfcab 100644
--- a/.github/actions/<github-action>/README.md
+++ b/.github/actions/<github-action>/README.md
@@ -19,13 +19,13 @@ jobs:
       - uses: actions/[email protected]
 
       - name: Generate checksum of string
-        uses: <vendor-id>/<github-action>@v1
+        uses: ./.github/actions/<github-action>@ebdf8c12c00912d18de93c483b935d51582f9236
         with:
           key: test string
           input: hello world
 
       - name: Generate checksum of command output
-        uses: <vendor-id>/<github-action>@v1
+        uses: ./.github/actions/<github-action>@ebdf8c12c00912d18de93c483b935d51582f9236
         with:
           key: test command
           input: $(cat action.yml)
@@ -40,7 +40,7 @@ jobs:
 
       - name: Validate checksum of valid string
         id: valid-string
-        uses: <vendor-id>/<github-action>@v1
+        uses: ./.github/actions/<github-action>@ebdf8c12c00912d18de93c483b935d51582f9236
         with:
           key: test string
           validate: true
@@ -49,7 +49,7 @@ jobs:
 
       - name: Validate checksum of valid command output
         id: valid-command
-        uses: <vendor-id>/<github-action>@v1
+        uses: ./.github/actions/<github-action>@ebdf8c12c00912d18de93c483b935d51582f9236
         with:
           key: test command
           validate: true
@@ -91,4 +91,4 @@ inputs:
 outputs:
   valid:
     description: True if checksums match
-```
\ No newline at end of file
+```
. . .

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

21. Update these references with calls to the local repositoy (e.g.: .github/actions/):

$ git status ;

On branch devsecops/<user-id>/<github-action>
Your branch is up to date with 'origin/devsecops/<user-id>/<github-action>'.

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
	modified:   actions/<github-action>/README.md
	modified:   actions/deploy-backend/action.yml
	modified:   workflows/release_to_azure.yml

no changes added to commit (use "git add" and/or "git commit -a")

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

22. Push these latest changes to the upstream repository (project):

$ git add . && git commit -m "Correcting external references to the <github-action> GitHub Action" ;

[devsecops/<user-id>/<github-action> 58cdc60ac] 
Correcting all external references to the <github-action> GitHub Action
 3 files changed, 7 insertions(+), 13 deletions(-)
devops: .github (devsecops/<user-id>/<github-action>>) $ git push ;
Enumerating objects: 19, done.
Counting objects: 100% (19/19), done.
Delta compression using up to 12 threads
Compressing objects: 100% (9/9), done.
Writing objects: 100% (10/10), 939 bytes | 939.00 KiB/s, done.
Total 10 (delta 7), reused 0 (delta 0), pack-reused 0 (from 0)
remote: Resolving deltas: 100% (7/7), completed with 7 local objects.
remote: 
remote: GitHub found 3 vulnerabilities on CDCgov/prime-reportstream's default branch (2 high, 1 low).
        To find out more, visit:
remote: https://github.com/CDCgov/prime-reportstream/security/dependabot
remote: 
To https://github.com/CDCgov/prime-reportstream.git
   fba4665dd..58cdc60ac  devsecops/<user-id>/<github-action> -> devsecops/<user-id>/<github-action>

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

The following Pull Request will merge into the MAIN branch after completing all unit-testings and a complete peer review. #16728

@emvaldes emvaldes removed the DevOps Work Type label to flag work related to DevOps label Dec 6, 2024
@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

23. Make sure to provide correct and meaningful information to the Pull Request.
Screenshot 2024-12-06 at 7.49.34 AM.png

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

24. Make sure all the validation (Unit-Testing) stages are completed and not failed.
Note: It's possible that at times, some non-required tests might fail and you might still be able to merge into the MAIN branch but this should be avoided.
Screenshot 2024-12-06 at 7.50.11 AM.png

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

25. Make sure you review all your intermediate commits (while working out the details) and determine what is required/valuable and what is irrelevant so it can be purged (Squashed) from the MERGE stage.
Screenshot 2024-12-06 at 7.53.15 AM.png

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

26. Perform a basic overview of the build focusing on the stages and tests that relate to your changes. Anything else that is not within your control/domain make sure is reported to the development team.
Screenshot 2024-12-06 at 7.51.48 AM.png

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

27. For example, make sure that critical items related to the DevSecOps team's role are in working condition.
Screenshot 2024-12-06 at 7.52.09 AM.png

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

28. A Peer Review process should examine all the changed files and the effectiveness of these changes to accomplish the target objectives. Some might provide COMMENTS and at least one APPROVAL.
Screenshot 2024-12-06 at 7.51.14 AM.png

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

29. Once your Pull Request (PR) is peer reviewed (identify and select a specific contributor or await for the self-assigned teams), you will have green light to proceed. At times, you might need to update the current branch with the MAIN branch.
Screenshot 2024-12-06 at 9.30.43 AM.png

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

30. You must make sure that the Squash and Merge are performed and that you retain only relevant information to be part of the build and merge.
Screenshot 2024-12-06 at 9.31.17 AM.png

@emvaldes
Copy link
Collaborator Author

emvaldes commented Dec 6, 2024

31. The conclusion of this process is now illustrated here and it has only pending to get the GitHub Issue closed but it will be automatically resolved via this process.
Screenshot 2024-12-06 at 9.31.52 AM.png

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
DevSecOps Team Aq DevSecOps work label github-actions Tracking GitHub Actions items reportstream tech-debt Anything that is purely a technical issue and does not affect functionality
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant