From e7b44e549fc45a4182a46999c5d99ffa66fb977d Mon Sep 17 00:00:00 2001 From: Tony Hsu Date: Tue, 4 Mar 2025 15:50:33 +0100 Subject: [PATCH 1/2] Fix vul --- .github/workflows/_unit_test.yml | 5 ++++- .github/workflows/build-gem.yml | 15 +++++---------- .github/workflows/system-tests.yml | 21 +++++++++++++++------ .github/workflows/test.yml | 8 ++++++-- 4 files changed, 30 insertions(+), 19 deletions(-) diff --git a/.github/workflows/_unit_test.yml b/.github/workflows/_unit_test.yml index f76f24acdfe..5194df9bb49 100644 --- a/.github/workflows/_unit_test.yml +++ b/.github/workflows/_unit_test.yml @@ -36,9 +36,12 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Generate lockfile id: lockfile + env: + LOCKFILE: lockfile-${{ inputs.alias }}-${{ github.run_id }} run: | bundle lock - echo "lockfile=lockfile-${{ inputs.alias }}-${{ github.run_id }}" >> $GITHUB_OUTPUT + echo "lockfile=$LOCKFILE" >> $GITHUB_OUTPUT + - name: Upload lockfile uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: diff --git a/.github/workflows/build-gem.yml b/.github/workflows/build-gem.yml index 4586076d234..3af25a6bdcc 100644 --- a/.github/workflows/build-gem.yml +++ b/.github/workflows/build-gem.yml @@ -37,18 +37,13 @@ jobs: bundler-cache: true # runs 'bundle install' and caches installed gems automatically - name: Patch version if: ${{ matrix.type != 'final' }} + env: + GHA_RUN_ID: ${{ github.run_id }} + GIT_REF: ${{ github.ref }} + GIT_SHA: ${{ github.sha }} run: | - # Obtain context information - gha_run_id='${{ github.run_id }}' - git_ref='${{ github.ref }}' - git_sha='${{ github.sha }}' + .gitlab/patch_gem_version.sh gha $GHA_RUN_ID $GIT_REF $GIT_SHA; - # Output info for CI debug - echo gha_run_id="${gha_run_id}" - echo git_ref="${git_ref}" - echo git_sha="${git_sha}" - - .gitlab/patch_gem_version.sh gha $gha_run_id $git_ref $git_sha; - name: Patch gem host if: ${{ matrix.type != 'final' }} run: | diff --git a/.github/workflows/system-tests.yml b/.github/workflows/system-tests.yml index dc1bc4ee4f9..b7a4e75f6bd 100644 --- a/.github/workflows/system-tests.yml +++ b/.github/workflows/system-tests.yml @@ -87,8 +87,11 @@ jobs: run: | docker image list - name: Log in to the Container registry - run: | - echo ${{ secrets.GITHUB_TOKEN }} | docker login ${{ env.REGISTRY }} -u ${{ github.actor }} --password-stdin + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Tag image for CI run run: docker tag ${{ matrix.image.internal }} ${{ env.REPO }}/system-tests/${{ matrix.image.name }}:gha${{ github.run_id }}-g${{ github.sha }} - name: Push image for CI run @@ -182,8 +185,11 @@ jobs: docker pull "${{ env.REPO }}/system-tests/${{ matrix.library.name }}/${{ matrix.image }}-${{ matrix.app }}:g${sha}" || true done - name: Log in to the Container registry - run: | - echo ${{ secrets.GITHUB_TOKEN }} | docker login ${{ env.REGISTRY }} -u ${{ github.actor }} --password-stdin + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Build run: | cache_from=() @@ -470,8 +476,11 @@ jobs: name: Cleanup (${{ matrix.image }}) steps: - name: Log in to the Container registry - run: | - echo ${{ secrets.GITHUB_TOKEN }} | docker login ${{ env.REGISTRY }} -u ${{ github.actor }} --password-stdin + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0 with: package-version-ids: "gha${{ github.run_id }}-g${{ github.sha }}" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e9e41fc3ebb..9c089c6f971 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -147,9 +147,13 @@ jobs: # # This is a workaround to manually set the correct git commit sha for the pull request event. - if: github.event_name == 'pull_request' - run: echo "DD_GIT_COMMIT_SHA=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV + env: + DD_GIT_COMMIT_SHA: ${{ github.event.pull_request.head.sha }} + run: echo "DD_GIT_COMMIT_SHA=$DD_GIT_COMMIT_SHA" >> $GITHUB_ENV - if: github.event_name != 'pull_request' - run: echo "DD_GIT_COMMIT_SHA=${{ github.sha }}" >> $GITHUB_ENV + env: + DD_GIT_COMMIT_SHA: ${{ github.sha }} + run: echo "DD_GIT_COMMIT_SHA=$DD_GIT_COMMIT_SHA" >> $GITHUB_ENV - run: echo $DD_GIT_COMMIT_SHA - name: Upload junit reports run: datadog-ci junit upload --verbose tmp/rspec/ From 27e6c585a940bb1cb37991ebad5de84f9b967744 Mon Sep 17 00:00:00 2001 From: Tony Hsu Date: Tue, 4 Mar 2025 16:00:32 +0100 Subject: [PATCH 2/2] Add zizmor job --- .github/workflows/check.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index dc69f33662d..ab8470a64c7 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -112,6 +112,25 @@ jobs: env: SEMGREP_RULES: p/default + zizmor: + name: zizmor + runs-on: ubuntu-24.04 + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@v5 + + - name: Run zizmor 🌈 + run: uvx zizmor --format sarif . + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + complete: name: Static Analysis (complete) needs: @@ -121,6 +140,7 @@ jobs: - 'semgrep' - 'dd-software-composition-analysis' - 'dd-static-analysis' + - 'zizmor' runs-on: ubuntu-24.04 steps: - run: echo "Done"