-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Importing JosiahSiegel GHA: [email protected] #16157
Comments
This external repo is now inserted in the file structure at: .github/actions/checksum-validate-action in the importing-gha branch. |
$GITHUB_STEP_SUMMARY
$GITHUB_OUTPUT env.sha github.sha inputs.input
inputs.key matrix.os steps.input_sha.outputs.sha
steps.valid-command.outputs.valid
steps.valid-string.outputs.valid
steps.validate_checksum.outputs.valid |
I will be listing each step that must be performed in order to complete the importing of an external GitHub Action repository. Note: Follow these steps as a guideline but it will require additional steps depending on each project. A personal/professional comment I would like to point out. I do not believe this is the correct approach for importing these external/remote GitHub Actions. Nevertheless, sometimes what is correct is not what is needed/required so it's all based on context. Nevertheless, my approach would always tend to be like follows: Perform this specific set of tasks once:
Perform these tasks periodically or when upstream updates are published:
Conclusion: These are significantly less time-consuming and more effort-efficient tasks to manage development workflows upstream and yet maintain the desired/required level of control and safety to our project. |
1. Always checkout the MAIN branch: $ git checkout main ;
Switched to branch 'main'
Your branch is up to date with 'origin/main'. |
2. Always update the MAIN branch: $ git pull ;
remote: Enumerating objects: ?, done.
remote: Counting objects: 100% (?/?), done.
remote: Compressing objects: 100% (?/?), done.
remote: Total ? (delta ?), reused ? (delta ?), pack-reused 0 (from 0)
Unpacking objects: 100% (?/?), ?.? KiB | ?.? MiB/s, done.
From https://github.com/CDCgov/prime-reportstream
abc..xyz main -> origin/main
. . .
Updating abc..xyz
Fast-forward
. . . |
3. Create local branch using pattern-naming convention: $ git checkout -b devsecops/<user-id>/<github-action> ;
Switched to a new branch 'devsecops/<user-id>/<github-action>' |
4. Push existing branch state to remote: $ git push --set-upstream origin devsecops/<user-id>/<github-action> ;
Total 0 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
remote:
remote: Create a pull request for 'devsecops/<user-id>/<github-action>' on GitHub by visiting:
remote: https://github.com/CDCgov/prime-reportstream/pull/new/devsecops/<user-id>/<github-action>
remote:
remote: GitHub found ? vulnerabilities on CDCgov/prime-reportstream's default branch (? high, ? low).
To find out more, visit:
remote: https://github.com/CDCgov/prime-reportstream/security/dependabot
remote:
To https://github.com/CDCgov/prime-reportstream.git
* [new branch] devsecops/<user-id>/<github-action> -> devsecops/<user-id>/<github-action>
branch 'devsecops/<user-id>/<github-action>'
set up to track 'origin/devsecops/<user-id>/<github-action>'. |
5. Create target container (filesystem folder) for the external/remote GitHub Action: $ cd .github/actions/ ; $ mkdir <github-action> && cd $_ ;
$ ls -al ;
total 0
drwxr-xr-x 2 <user-id> staff 64 Dec 5 14:51 .
drwxr-xr-x 26 <user-id> staff 832 Dec 5 14:51 ..
$ pwd ;
/repos/hhs/cdc/prime-reportstream/.github/actions/<github-action> |
6. Clone the external/remote repository GitHub Action: $ git clone https://github.com/<vendor-id>/<github-action>.git . ;
Cloning into '.'...
remote: Enumerating objects: 143, done.
remote: Counting objects: 100% (80/80), done.
remote: Compressing objects: 100% (52/52), done.
remote: Total 143 (delta 38), reused 46 (delta 24), pack-reused 63 (from 1)
Receiving objects: 100% (143/143), 52.98 KiB | 645.00 KiB/s, done.
Resolving deltas: 100% (47/47), done. |
7. Listing local repository file structure $ tree -a ;
.
├── .git ...
├── .github
│ ├── dependabot.yml
│ └── workflows
│ └── test_action.yml
├── README.md
└── action.yml
19 directories, 32 files |
8. Listing local repository log: $ git log ;
commit 806ce2fa215d520071c6d4faf8d2588a65e23749 (HEAD -> main, origin/main, origin/HEAD)
Merge: abcb2c6 59444f8
Author: <vendor-id> <5522990+<vendor-id>@users.noreply.github.com>
Date: Fri Aug 2 08:36:54 2024 -0400
Merge pull request #31 from <vendor-id>/dependabot/github_actions/actions/download-artifact-4.1.8
Bump actions/download-artifact from 4.1.7 to 4.1.8
. . . |
9. Checkout target hash-commit (referenced in the PRIME-ReportStream application): $ git checkout ebdf8c12c00912d18de93c483b935d51582f9236 ;
Note: switching to 'ebdf8c12c00912d18de93c483b935d51582f9236'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:
git switch -c <new-branch-name>
Or undo this operation with:
git switch -
Turn off this advice by setting config variable advice.detachedHead to false
HEAD is now at ebdf8c1 Merge pull request
#16 from <vendor-id>/dependabot/github_actions/actions/download-artifact-4.1.2 |
10. Listing GitHub Action (e.g.: action.yaml) change log: ((v1.5)) $ git log -p ./action.yml ;
commit 20fe3f0b1e20bf44f7c1c0dde8b7e6798ac123e7
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri Feb 16 14:57:08 2024 +0000
Bump actions/download-artifact from 4.1.0 to 4.1.2
Bumps [actions/download-artifact](https://github.com/actions/download-artifact)
from 4.1.0 to 4.1.2.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/f44cd7b...eaceaf8)
---
updated-dependencies:
- dependency-name: actions/download-artifact
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <[email protected]>
diff --git a/action.yml b/action.yml
index 149b759..1ad3023 100644
--- a/action.yml
+++ b/action.yml
@@ -77,7 +77,7 @@ runs:
# VALIDATE FILE START
- name: Download checksum file
if: inputs.validate == 'true'
- uses: actions/download-artifact@f44cd7b
+ uses: actions/download-artifact@eaceaf8
with:
name: "${{ github.sha }}-${{ inputs.key }}.txt"
. . . |
11. Purge non-usable components (e.g.: .git and .github folders) $ rm -rf .git .github ;
$ ls -al ;
total 16
drwxr-xr-x 4 <user-id> staff 128 Dec 5 15:00 .
drwxr-xr-x 26 <user-id> staff 832 Dec 5 14:51 ..
-rw-r--r-- 1 <user-id> staff 2475 Dec 5 14:52 README.md
-rw-r--r-- 1 <user-id> staff 3358 Dec 5 14:54 action.yml |
12. Modify all the configuration files that are needed/required to be updated: $ git status ;
On branch devsecops/<user-id>/<github-action>
Your branch is up to date with 'origin/devsecops/<user-id>/<github-action>'.
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
modified: dependabot.yml
Untracked files:
(use "git add <file>..." to include in what will be committed)
actions/<github-action>/
no changes added to commit (use "git add" and/or "git commit -a") |
13 . Modify the dependabot.yaml file and review its changes: $ git log -p ./dependabot.yml ;
commit fba4665dd899767e4ea4da2c6cc5418bef835037
Author: Eduardo Valdes <[email protected]>
Date: Thu Dec 5 15:06:13 2024 -0700
Integrating the <github-action> GitHub Action into project
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 498f787b1..6365ac269 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -125,6 +125,11 @@ updates:
schedule:
interval: "daily"
+ - package-ecosystem: "github-actions"
+ directory: "/.github/actions/<github-action>"
+ schedule:
+ interval: "daily"
+
# Frontend
- package-ecosystem: "npm"
directory: "/frontend-react"
. . . |
14. Modify if need/required the .github/actions/checksum-validate/action.yaml file and review its changes: $ git log ./github/actions/<github-action>/action.yml ;
commit fba4665dd899767e4ea4da2c6cc5418bef835037
Author: Eduardo Valdes <[email protected]>
Date: Thu Dec 5 15:06:13 2024 -0700
Integrating the <github-action> GitHub Action into project
. . . |
15. Adding and listing all performed changes: $ git add . ;
$ git status ;
On branch devsecops/<user-id>/<github-action>
Your branch is up to date with 'origin/devsecops/<user-id>/<github-action>'.
Changes to be committed:
(use "git restore --staged <file>..." to unstage)
new file: actions/<github-action>/README.md
new file: actions/<github-action>/action.yml
modified: dependabot.yml |
16. Provide a meaningful comment: $ git commit -m "Integrating the <github-action> GitHub Action into project" ;
[devsecops/<user-id>/<github-action> fba4665dd]
Integrating the <github-action> GitHub Action into project
3 files changed, 210 insertions(+)
create mode 100644 .github/actions/<github-action>/README.md
create mode 100644 .github/actions/<github-action>/action.yml |
17. Listing current local repository status: $ git status ;
On branch devsecops/<user-id>/<github-action>
Your branch is ahead of 'origin/devsecops/<user-id>/<github-action>' by 1 commit.
(use "git push" to publish your local commits)
nothing to commit, working tree clean |
18. Push upstream the performed changes: $ git push ;
Enumerating objects: 12, done.
Counting objects: 100% (12/12), done.
Delta compression using up to 12 threads
Compressing objects: 100% (8/8), done.
Writing objects: 100% (8/8), 2.44 KiB | 2.44 MiB/s, done.
Total 8 (delta 4), reused 0 (delta 0), pack-reused 0 (from 0)
remote: Resolving deltas: 100% (4/4), completed with 4 local objects.
remote:
remote: GitHub found 3 vulnerabilities on CDCgov/prime-reportstream's default branch (2 high, 1 low).
To find out more, visit:
remote: https://github.com/CDCgov/prime-reportstream/security/dependabot
remote:
To https://github.com/CDCgov/prime-reportstream.git
e564319f2..fba4665dd devsecops/<user-id>/<github-action> -> devsecops/<user-id>/<github-action> |
19. Search for all references to this package across the GitHub Workflows and Actions: $ find . -type f | xargs -I {} egrep -Hni "<vendor-id>/<github-action>" {} ;
./actions/<github-action>/README.md:3:[![Test Action]
(https://github.com/<vendor-id>/<github-action>/actions/workflows/test_action.yml/badge.svg)]
(https://github.com/<vendor-id>/<github-action>/actions/workflows/test_action.yml)
./actions/<github-action>/README.md:22: uses: <vendor-id>/<github-action>@<package-version>
./actions/<github-action>/README.md:28: uses: <vendor-id>/<github-action>@<package-version>
./actions/<github-action>/README.md:43: uses: <vendor-id>/<github-action>@<package-version>
./actions/<github-action>/README.md:52: uses: <vendor-id>/<github-action>@<package-version> |
20. Make sure these external references in the documentation point to the local repository: $ git log -p ./README.md ;
commit 58cdc60ac91f7a688a79bb1c8ceb278e73af0e4f (
HEAD -> devsecops/<user-id>/<github-action>, origin/devsecops/<user-id>/<github-action>
)
Author: Eduardo Valdes <[email protected]>
Date: Thu Dec 5 15:15:57 2024 -0700
Correcting all external references to the checksum-validate-action GitHub Action
diff --git a/.github/actions/<github-action>/README.md b/.github/actions/<github-action>/README.md
index e6e62a4ca..b228bfcab 100644
--- a/.github/actions/<github-action>/README.md
+++ b/.github/actions/<github-action>/README.md
@@ -19,13 +19,13 @@ jobs:
- uses: actions/[email protected]
- name: Generate checksum of string
- uses: <vendor-id>/<github-action>@v1
+ uses: ./.github/actions/<github-action>@ebdf8c12c00912d18de93c483b935d51582f9236
with:
key: test string
input: hello world
- name: Generate checksum of command output
- uses: <vendor-id>/<github-action>@v1
+ uses: ./.github/actions/<github-action>@ebdf8c12c00912d18de93c483b935d51582f9236
with:
key: test command
input: $(cat action.yml)
@@ -40,7 +40,7 @@ jobs:
- name: Validate checksum of valid string
id: valid-string
- uses: <vendor-id>/<github-action>@v1
+ uses: ./.github/actions/<github-action>@ebdf8c12c00912d18de93c483b935d51582f9236
with:
key: test string
validate: true
@@ -49,7 +49,7 @@ jobs:
- name: Validate checksum of valid command output
id: valid-command
- uses: <vendor-id>/<github-action>@v1
+ uses: ./.github/actions/<github-action>@ebdf8c12c00912d18de93c483b935d51582f9236
with:
key: test command
validate: true
@@ -91,4 +91,4 @@ inputs:
outputs:
valid:
description: True if checksums match
-```
\ No newline at end of file
+```
. . . |
21. Update these references with calls to the local repositoy (e.g.: .github/actions/):
|
22. Push these latest changes to the upstream repository (project): $ git add . && git commit -m "Correcting external references to the <github-action> GitHub Action" ;
[devsecops/<user-id>/<github-action> 58cdc60ac]
Correcting all external references to the <github-action> GitHub Action
3 files changed, 7 insertions(+), 13 deletions(-)
devops: .github (devsecops/<user-id>/<github-action>>) $ git push ;
Enumerating objects: 19, done.
Counting objects: 100% (19/19), done.
Delta compression using up to 12 threads
Compressing objects: 100% (9/9), done.
Writing objects: 100% (10/10), 939 bytes | 939.00 KiB/s, done.
Total 10 (delta 7), reused 0 (delta 0), pack-reused 0 (from 0)
remote: Resolving deltas: 100% (7/7), completed with 7 local objects.
remote:
remote: GitHub found 3 vulnerabilities on CDCgov/prime-reportstream's default branch (2 high, 1 low).
To find out more, visit:
remote: https://github.com/CDCgov/prime-reportstream/security/dependabot
remote:
To https://github.com/CDCgov/prime-reportstream.git
fba4665dd..58cdc60ac devsecops/<user-id>/<github-action> -> devsecops/<user-id>/<github-action> |
The following Pull Request will merge into the MAIN branch after completing all unit-testings and a complete peer review. #16728 |
Profile: JosiahSiegel
Status: Importing (In-Progress)
Objective: Determine if test string checksum valid or invalid.
a. Validation is possible across jobs since the checksum is uploaded as a workflow artifact
Target: [email protected] : ebdf8c1
Latest: checksum-validate-action (
806ce2fa215d520071c6d4faf8d2588a65e23749
)Note: Further development was made and not referenced/used in the project.
The
checksum-validate-action
is a GitHub Action designed to generate and validate checksums from strings or command outputs within your workflows. This functionality is particularly useful for ensuring data integrity and consistency across different stages of your pipeline.Key Features:
Inputs:
key
(required): A unique identifier to associate the checksum with a specific validation context.input
(required): The string or command output to generate the checksum from.validate
(optional, default:false
): Indicates whether to perform a validation check against a previously generated checksum.fail-invalid
(optional, default:false
): Determines if the action should fail the step when the checksum validation is unsuccessful.Outputs:
valid
: A boolean indicating whether the checksum validation was successful.Technical Evaluation:
The action is implemented as a composite action, executing a series of shell commands to perform checksum operations. The workflow includes the following steps:
sha256sum
command to generate a SHA-256 checksum from the provided input.valid
output based on the comparison result and optionally fails the step if validation fails andfail-invalid
is set totrue
.Usage Example:
Relevance to Your Pipeline:
If your pipeline involves scenarios where data integrity verification is crucial—such as ensuring that files or outputs remain unchanged across different stages or jobs—this action provides a straightforward method to implement such checks. It can help detect unintended modifications, ensuring consistency and reliability in your workflows. However, if your pipeline does not require such integrity checks or if similar validations are already implemented through other means, this action may be considered non-essential.
Conclusion:
The
checksum-validate-action
offers a practical solution for generating and validating checksums within GitHub workflows, enhancing data integrity and consistency. Its utility depends on your pipeline's specific requirements for data verification. Assessing your current processes for ensuring data integrity will help determine the action's relevance to your workflows.The text was updated successfully, but these errors were encountered: