[GHA] Add StepSecurity workflow updates #3242
Conversation
Signed-off-by: StepSecurity Bot <[email protected]>
imnasnainaec
changed the title
imnasnainaec
added
security
github_actions
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #3242 +/- ##
=======================================
Coverage 74.80% 74.80%
=======================================
Files 277 277
Lines 10635 10635
Branches 1278 1278
=======================================
+ Hits 7955 7956 +1
Misses 2316 2316
+ Partials 364 363 -1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Reviewed 7 of 9 files at r1.
Reviewable status: 7 of 9 files reviewed, 1 unresolved discussion (waiting on @imnasnainaec)
.pre-commit-config.yaml line 22 at r1 (raw file):
rev: v2.17.2 hooks: - id: pylint
We already have a GitHub action to lint our Python code with tox. How do we know that this will not have conflicts or that it will improve the code?
We should hold off on this until we have tried it out and seen if it does a better job than what we have with tox.
Code quote:
- repo: https://github.com/pylint-dev/pylint
rev: v2.17.2
hooks:
- id: pylint
There was a problem hiding this comment.
Reviewable status: 6 of 9 files reviewed, 1 unresolved discussion (waiting on @imnasnainaec)
.pre-commit-config.yaml line 22 at r1 (raw file):
From https://github.com/pylint-dev/pylint:
Pylint is not trusting your typing and is inferring the actual value of nodes (for a start because there was no typing when pylint started off) using its internal code representation (astroid). If your code is
import logging as argparse, Pylint can check and know thatargparse.error(...)is in fact a logging call and not an argparse call. This makes pylint slower, but it also lets pylint find more issues if your code is not fully typed.
Since our Python code is fully typed I suggest we use tox instead of this.
There was a problem hiding this comment.
Reviewable status: 6 of 9 files reviewed, 1 unresolved discussion (waiting on @imnasnainaec and @jmgrady)
.pre-commit-config.yaml line 22 at r1 (raw file):
Previously, jmgrady (Jim Grady) wrote…
From https://github.com/pylint-dev/pylint:
Pylint is not trusting your typing and is inferring the actual value of nodes (for a start because there was no typing when pylint started off) using its internal code representation (astroid). If your code is
import logging as argparse, Pylint can check and know thatargparse.error(...)is in fact a logging call and not an argparse call. This makes pylint slower, but it also lets pylint find more issues if your code is not fully typed.Since our Python code is fully typed I suggest we use
toxinstead of this.
Small fish released.
imnasnainaec
changed the title
There was a problem hiding this comment.
Reviewed 1 of 3 files at r3, all commit messages.
Reviewable status: 7 of 9 files reviewed, 1 unresolved discussion (waiting on @imnasnainaec)
imnasnainaec
changed the title
There was a problem hiding this comment.
Reviewed 2 of 3 files at r3.
Reviewable status: 6 of 10 files reviewed, 3 unresolved discussions (waiting on @imnasnainaec)
.github/actions/combine-build/action.yml line 44 at r4 (raw file):
- name: Configure AWS credentials uses: aws-actions/[email protected]
This can be pinned as well, à la .github/workflows/deploy_qa.yml
aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
Code quote:
uses: aws-actions/[email protected].github/actions/combine-build/action.yml line 51 at r4 (raw file):
- name: Login to AWS ECR uses: docker/[email protected]
Similarly, this can be pinned. .github/workflows/combine_deploy_image.yml has
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
(This file should probably be brought up to 3.2.0 with its SHA256 sum.)
Code quote:
uses: docker/[email protected]Backend/Dockerfile line 14 at r3 (raw file):
# Build runtime image. FROM mcr.microsoft.com/dotnet/aspnet:8.0.6-jammy-amd64@sha256:508870ea8c866710365cef2ba45c25caa172463756e8d7a94733ba49501a6a23
This (and the other Dockerfiles) specify a tag but also has an sha256 checksum to pin it to a specific commit. What happens if the tag moves? (which it the argument for pinning to a specific commit instead of a tag).
Code quote:
FROM mcr.microsoft.com/dotnet/aspnet:8.0.6-jammy-amd64@sha256:508870ea8c866710365cef2ba45c25caa172463756e8d7a94733ba49501a6a23
There was a problem hiding this comment.
Reviewed 1 of 9 files at r1, 3 of 3 files at r4, all commit messages.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on @imnasnainaec)
There was a problem hiding this comment.
Reviewable status: 9 of 10 files reviewed, 3 unresolved discussions (waiting on @jmgrady)
.github/actions/combine-build/action.yml line 44 at r4 (raw file):
Previously, jmgrady (Jim Grady) wrote…
This can be pinned as well, à la
.github/workflows/deploy_qa.ymlaws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
Done.
.github/actions/combine-build/action.yml line 51 at r4 (raw file):
Previously, jmgrady (Jim Grady) wrote…
Similarly, this can be pinned.
.github/workflows/combine_deploy_image.ymlhasuses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0(This file should probably be brought up to 3.2.0 with its SHA256 sum.)
Rather than manually hunt down the SHA256 sum, I rolled this back to 3.1 to match the others and let dependabot push us forward automatically with the checksums.
Backend/Dockerfile line 14 at r3 (raw file):
Previously, jmgrady (Jim Grady) wrote…
This (and the other Dockerfiles) specify a tag but also has an sha256 checksum to pin it to a specific commit. What happens if the tag moves? (which it the argument for pinning to a specific commit instead of a tag).
Good questions. I would be surprised if they recommended such a fragile pinning and had assumed that the :<tag> implicitly covered a range of @<digest>s. However, the Docker documentation (https://docs.docker.com/reference/dockerfile/#from) doesn't cover using both, so we could roll back the pinning in these and just keep doing what we we're doing.
There was a problem hiding this comment.
Reviewed 1 of 1 files at r5, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @imnasnainaec)
Backend/Dockerfile line 14 at r3 (raw file):
Previously, imnasnainaec (D. Ror.) wrote…
Good questions. I would be surprised if they recommended such a fragile pinning and had assumed that the
:<tag>implicitly covered a range of@<digest>s. However, the Docker documentation (https://docs.docker.com/reference/dockerfile/#from) doesn't cover using both, so we could roll back the pinning in these and just keep doing what we were doing.
Yes, let's roll back the pinning for now. We used to pin the images for the Dockerfiles but it became a maintenance issue. You can't add a comment at the end of the line in a Docker file like you can in YAML - I had to add it above. This means that dependabot will not keep it up to date and, as I mentioned in slack, frequently I could not lookup the version to update the comment.
imnasnainaec
changed the title
There was a problem hiding this comment.
Reviewable status: 5 of 10 files reviewed, 1 unresolved discussion (waiting on @jmgrady)
Backend/Dockerfile line 14 at r3 (raw file):
Previously, jmgrady (Jim Grady) wrote…
Yes, let's roll back the pinning for now. We used to pin the images for the Dockerfiles but it became a maintenance issue. You can't add a comment at the end of the line in a Docker file like you can in YAML - I had to add it above. This means that
dependabotwill not keep it up to date and, as I mentioned in slack, frequently I could not lookup the version to update the comment.
Done.
There was a problem hiding this comment.
Reviewed 5 of 5 files at r6, all commit messages.
Reviewable status:complete! all files reviewed, all discussions resolved (waiting on @imnasnainaec)
Replaces #3241
Also updates dependency versions in
.github/actions/combine-build/action.ymlto deal with the warnings in (e.g.) https://github.com/sillsdev/TheCombine/actions/runs/9858844431:This change is