From 7a4d6112e9d8d42ffa75930066b81ae0117cb922 Mon Sep 17 00:00:00 2001 From: darrenge Date: Mon, 10 Feb 2025 16:41:33 -0800 Subject: [PATCH 01/13] Security compliance fix - Setting CI and Nightly GH actions to Read Only. --- .github/workflows/ci.yml | 3 +++ .github/workflows/nightly.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5f17bb7e4c..d00048fecb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,6 +12,9 @@ env: DOTNET_SKIP_FIRST_TIME_EXPERIENCE: 1 DOTNET_NOLOGO: true +permissions: + contents: read + jobs: changes: name: Check for changes diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 5c9264a090..25adcdfe28 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -8,6 +8,9 @@ env: DOTNET_SKIP_FIRST_TIME_EXPERIENCE: 1 DOTNET_NOLOGO: true +permissions: + contents: read + jobs: build-test-garnet: name: Garnet From 6a5559b1a22bbc88f27c81404cacb2717ed4a432 Mon Sep 17 00:00:00 2001 From: darrenge Date: Tue, 11 Feb 2025 15:07:26 -0800 Subject: [PATCH 02/13] Added Tagged Pin for third party. DeployWebsite & BDN Benchmark --- .github/workflows/ci-bdnbenchmark.yml | 4 ++-- .github/workflows/deploy-website.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci-bdnbenchmark.yml b/.github/workflows/ci-bdnbenchmark.yml index 96d1df1e53..5613972a91 100644 --- a/.github/workflows/ci-bdnbenchmark.yml +++ b/.github/workflows/ci-bdnbenchmark.yml @@ -22,7 +22,7 @@ jobs: - name: Check out code uses: actions/checkout@v4 - name: Apply filter - uses: dorny/paths-filter@v3 + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 #v3 for security reasons have pinned tag (commit SHA) for 3rd party id: filter with: filters: | @@ -76,7 +76,7 @@ jobs: # Run `github-action-benchmark` action for the Continuous Benchmarking Charts (https://microsoft.github.io/garnet/charts/) - name: Store benchmark result for charts - uses: benchmark-action/github-action-benchmark@v1 + uses: benchmark-action/github-action-benchmark@6bae118c112083251560ad8b3a1ff2e43aa23351 #v1 for security reasons have pinned tag (commit SHA) for 3rd party with: name: ${{matrix.test}} (${{matrix.os}} ${{matrix.framework}} ${{matrix.configuration}}) tool: 'benchmarkdotnet' diff --git a/.github/workflows/deploy-website.yml b/.github/workflows/deploy-website.yml index 6ee6ee4cfb..f11ec5eaad 100644 --- a/.github/workflows/deploy-website.yml +++ b/.github/workflows/deploy-website.yml @@ -50,7 +50,7 @@ jobs: # Popular action to deploy to GitHub Pages: # Docs: /~https://github.com/peaceiris/actions-gh-pages#%EF%B8%8F-docusaurus - name: Deploy to GitHub Pages - uses: peaceiris/actions-gh-pages@v4 + uses: peaceiris/actions-gh-pages@aa83d0c2cfc3d813560e13068d3152aa21490171 #v4 - for security reasons have pinned tag (commit SHA) for 3rd party with: github_token: ${{ secrets.GITHUB_TOKEN }} # Build output to publish to the `gh-pages` branch: From 25cefa457e1884eb3f66f7cb643de15864d8c166 Mon Sep 17 00:00:00 2001 From: darrenge Date: Tue, 11 Feb 2025 15:48:23 -0800 Subject: [PATCH 03/13] Trying different commit SHA for BDN --- .github/workflows/ci-bdnbenchmark.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-bdnbenchmark.yml b/.github/workflows/ci-bdnbenchmark.yml index 5613972a91..a40e93a2d2 100644 --- a/.github/workflows/ci-bdnbenchmark.yml +++ b/.github/workflows/ci-bdnbenchmark.yml @@ -76,7 +76,7 @@ jobs: # Run `github-action-benchmark` action for the Continuous Benchmarking Charts (https://microsoft.github.io/garnet/charts/) - name: Store benchmark result for charts - uses: benchmark-action/github-action-benchmark@6bae118c112083251560ad8b3a1ff2e43aa23351 #v1 for security reasons have pinned tag (commit SHA) for 3rd party + uses: benchmark-action/github-action-benchmark@e3c661617bc6aa55f26ae4457c737a55545a86a4 #v1 for security reasons have pinned tag (commit SHA) for 3rd party with: name: ${{matrix.test}} (${{matrix.os}} ${{matrix.framework}} ${{matrix.configuration}}) tool: 'benchmarkdotnet' From d6d40e1f59253223278f97b298bca63369c9a8cc Mon Sep 17 00:00:00 2001 From: darrenge Date: Tue, 11 Feb 2025 15:57:41 -0800 Subject: [PATCH 04/13] Added pinned tag for third party for CI. Removed the one for BDN as couldn't get proper SHA for it. Put it back and will fix it later. --- .github/workflows/ci-bdnbenchmark.yml | 2 +- .github/workflows/ci.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-bdnbenchmark.yml b/.github/workflows/ci-bdnbenchmark.yml index a40e93a2d2..2782ce4130 100644 --- a/.github/workflows/ci-bdnbenchmark.yml +++ b/.github/workflows/ci-bdnbenchmark.yml @@ -76,7 +76,7 @@ jobs: # Run `github-action-benchmark` action for the Continuous Benchmarking Charts (https://microsoft.github.io/garnet/charts/) - name: Store benchmark result for charts - uses: benchmark-action/github-action-benchmark@e3c661617bc6aa55f26ae4457c737a55545a86a4 #v1 for security reasons have pinned tag (commit SHA) for 3rd party + uses: benchmark-action/github-action-benchmark@v1 # for security reasons have pinned tag (commit SHA) for 3rd party - however, not able to find specific commit SHA that works with: name: ${{matrix.test}} (${{matrix.os}} ${{matrix.framework}} ${{matrix.configuration}}) tool: 'benchmarkdotnet' diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d00048fecb..536c0751f5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,7 +30,7 @@ jobs: - name: Check out code uses: actions/checkout@v4 - name: Apply filter - uses: dorny/paths-filter@v3 + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 #v3 for security reasons have pinned tag (commit SHA) for 3rd party id: filter with: filters: | From 082348a6598628b2fec6791bc5cf67d9a312c892 Mon Sep 17 00:00:00 2001 From: darrenge Date: Tue, 11 Feb 2025 16:02:48 -0800 Subject: [PATCH 05/13] Added Pinned Tag for docker Windows but the BUILD and PUSH steps are disabled to test other steps --- .github/workflows/docker-windows.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/docker-windows.yml b/.github/workflows/docker-windows.yml index 6578cfd389..af9bffe4eb 100644 --- a/.github/workflows/docker-windows.yml +++ b/.github/workflows/docker-windows.yml @@ -23,7 +23,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@8e1d5461f02b7886d3c1a774bfbd873650445aa2 # was v5 but now v6 with this commit for security reasons have pinned tag (commit SHA) for 3rd party with: images: ghcr.io/${{ github.repository }}-nanoserver-ltsc2022 tags: | @@ -39,20 +39,20 @@ jobs: - name: Login to GitHub Container Registry if: github.event_name != 'pull_request' - uses: docker/login-action@v3 + uses: docker/login-action@327cd5a69de6c009b9ce71bce8395f28e651bf99 # was v3 but now v6 with this commit for security reasons have pinned tag (commit SHA) for 3rd party with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push - if: github.event_name != 'pull_request' - run: | - docker build -f Dockerfile.nanoserver ` - --tag ${{ fromJSON(steps.meta.outputs.json).tags[0] }} ` - --tag ${{ fromJSON(steps.meta.outputs.json).tags[1] }} ` - --tag ${{ fromJSON(steps.meta.outputs.json).tags[2] }} . +# - name: Build and push +# if: github.event_name != 'pull_request' +# run: | +# docker build -f Dockerfile.nanoserver ` +# --tag ${{ fromJSON(steps.meta.outputs.json).tags[0] }} ` +# --tag ${{ fromJSON(steps.meta.outputs.json).tags[1] }} ` +# --tag ${{ fromJSON(steps.meta.outputs.json).tags[2] }} . - docker push ${{ fromJSON(steps.meta.outputs.json).tags[0] }} - docker push ${{ fromJSON(steps.meta.outputs.json).tags[1] }} - docker push ${{ fromJSON(steps.meta.outputs.json).tags[2] }} +# docker push ${{ fromJSON(steps.meta.outputs.json).tags[0] }} +# docker push ${{ fromJSON(steps.meta.outputs.json).tags[1] }} +# docker push ${{ fromJSON(steps.meta.outputs.json).tags[2] }} From ca2c48309db17dae582cca6ef7d6cb861ff4e220 Mon Sep 17 00:00:00 2001 From: darrenge Date: Tue, 11 Feb 2025 16:06:09 -0800 Subject: [PATCH 06/13] Docker Windows test passed so now enabling actual build and push --- .github/workflows/docker-windows.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/docker-windows.yml b/.github/workflows/docker-windows.yml index af9bffe4eb..d103e33e29 100644 --- a/.github/workflows/docker-windows.yml +++ b/.github/workflows/docker-windows.yml @@ -45,14 +45,14 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} -# - name: Build and push -# if: github.event_name != 'pull_request' -# run: | -# docker build -f Dockerfile.nanoserver ` -# --tag ${{ fromJSON(steps.meta.outputs.json).tags[0] }} ` -# --tag ${{ fromJSON(steps.meta.outputs.json).tags[1] }} ` -# --tag ${{ fromJSON(steps.meta.outputs.json).tags[2] }} . + - name: Build and push + if: github.event_name != 'pull_request' + run: | + docker build -f Dockerfile.nanoserver ` + --tag ${{ fromJSON(steps.meta.outputs.json).tags[0] }} ` + --tag ${{ fromJSON(steps.meta.outputs.json).tags[1] }} ` + --tag ${{ fromJSON(steps.meta.outputs.json).tags[2] }} . -# docker push ${{ fromJSON(steps.meta.outputs.json).tags[0] }} -# docker push ${{ fromJSON(steps.meta.outputs.json).tags[1] }} -# docker push ${{ fromJSON(steps.meta.outputs.json).tags[2] }} + docker push ${{ fromJSON(steps.meta.outputs.json).tags[0] }} + docker push ${{ fromJSON(steps.meta.outputs.json).tags[1] }} + docker push ${{ fromJSON(steps.meta.outputs.json).tags[2] }} From 6b11364183964be9cd93efe284bf51fc047fc545 Mon Sep 17 00:00:00 2001 From: darrenge Date: Tue, 11 Feb 2025 16:15:25 -0800 Subject: [PATCH 07/13] Added Pinned tag with a commit SHA for third party apps - actual build and push is commented out so can test it --- .github/workflows/docker-linux.yml | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/.github/workflows/docker-linux.yml b/.github/workflows/docker-linux.yml index 6ce9480003..180238d756 100644 --- a/.github/workflows/docker-linux.yml +++ b/.github/workflows/docker-linux.yml @@ -41,7 +41,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@8e1d5461f02b7886d3c1a774bfbd873650445aa2 # was v5 but now v6 with this commit for security reasons have pinned tag (commit SHA) for 3rd party with: images: ${{ matrix.image }} tags: | @@ -56,25 +56,26 @@ jobs: type=raw,value=latest,enable={{is_default_branch}} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3 for security reasons have pinned tag (commit SHA) for 3rd party - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3 for security reasons have pinned tag (commit SHA) for 3rd party - name: Login to GitHub Container Registry if: github.event_name != 'pull_request' - uses: docker/login-action@v3 + uses: docker/login-action@327cd5a69de6c009b9ce71bce8395f28e651bf99 # was v3 but now v6 with this commit for security reasons have pinned tag (commit SHA) for 3rd party + with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build and push - uses: docker/build-push-action@v5 - with: - file: ${{ matrix.dockerfile }} - provenance: false - platforms: linux/amd64,linux/arm64 - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} +# - +# name: Build and push +# uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v5 for security reasons have pinned tag (commit SHA) for 3rd party +# with: +# file: ${{ matrix.dockerfile }} +# provenance: false +# platforms: linux/amd64,linux/arm64 +# push: ${{ github.event_name != 'pull_request' }} +# tags: ${{ steps.meta.outputs.tags }} +# labels: ${{ steps.meta.outputs.labels }} From 83f83039d94ac5a8a2854f619968f1cc203866d2 Mon Sep 17 00:00:00 2001 From: darrenge Date: Tue, 11 Feb 2025 16:18:46 -0800 Subject: [PATCH 08/13] Enabled the build and push step for docker linux as test of other parts passed --- .github/workflows/docker-linux.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/docker-linux.yml b/.github/workflows/docker-linux.yml index 180238d756..840e587455 100644 --- a/.github/workflows/docker-linux.yml +++ b/.github/workflows/docker-linux.yml @@ -69,13 +69,13 @@ jobs: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} -# - -# name: Build and push -# uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v5 for security reasons have pinned tag (commit SHA) for 3rd party -# with: -# file: ${{ matrix.dockerfile }} -# provenance: false -# platforms: linux/amd64,linux/arm64 -# push: ${{ github.event_name != 'pull_request' }} -# tags: ${{ steps.meta.outputs.tags }} -# labels: ${{ steps.meta.outputs.labels }} + - + name: Build and push + uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v5 for security reasons have pinned tag (commit SHA) for 3rd party + with: + file: ${{ matrix.dockerfile }} + provenance: false + platforms: linux/amd64,linux/arm64 + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} From 75d7f806b9f5571ffa8e835cad519dd5d1a2f0b8 Mon Sep 17 00:00:00 2001 From: darrenge Date: Tue, 11 Feb 2025 16:33:37 -0800 Subject: [PATCH 09/13] Added Pinned tag using commit SHA for third party Helm chart pipeline - Helm Chart disabled steps so only tests the changed task --- .github/workflows/docker-linux.yml | 2 +- .github/workflows/helm-chart.yml | 112 ++++++++++++++--------------- 2 files changed, 57 insertions(+), 57 deletions(-) diff --git a/.github/workflows/docker-linux.yml b/.github/workflows/docker-linux.yml index 840e587455..b698fe9855 100644 --- a/.github/workflows/docker-linux.yml +++ b/.github/workflows/docker-linux.yml @@ -41,7 +41,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@8e1d5461f02b7886d3c1a774bfbd873650445aa2 # was v5 but now v6 with this commit for security reasons have pinned tag (commit SHA) for 3rd party + uses: docker/metadata-action@8e1d5461f02b7886d3c1a774bfbd873650445aa2 # was v5 but now v6 with this commit for security reasons have pinned tag (commit SHA) for 3rd party with: images: ${{ matrix.image }} tags: | diff --git a/.github/workflows/helm-chart.yml b/.github/workflows/helm-chart.yml index f1a90a01df..1665605c33 100644 --- a/.github/workflows/helm-chart.yml +++ b/.github/workflows/helm-chart.yml @@ -28,60 +28,60 @@ jobs: git config user.email "${GITHUB_ACTOR}@users.noreply.github.com" - name: Install helm - uses: azure/setup-helm@v4 + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4 for security reasons have pinned tag (commit SHA) for 3rd party env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - - name: Install helm-docs - env: - HELM_DOCS_VERSION: "1.14.2" - run: | - cd /tmp - wget /~https://github.com/norwoodj/helm-docs/releases/download/v"${HELM_DOCS_VERSION}"/helm-docs_"${HELM_DOCS_VERSION}"_Linux_x86_64.tar.gz - tar -xvf helm-docs_"${HELM_DOCS_VERSION}"_Linux_x86_64.tar.gz - sudo mv helm-docs /usr/local/bin +# - name: Install helm-docs +# env: +# HELM_DOCS_VERSION: "1.14.2" +# run: | +# cd /tmp +# wget /~https://github.com/norwoodj/helm-docs/releases/download/v"${HELM_DOCS_VERSION}"/helm-docs_"${HELM_DOCS_VERSION}"_Linux_x86_64.tar.gz +# tar -xvf helm-docs_"${HELM_DOCS_VERSION}"_Linux_x86_64.tar.gz +# sudo mv helm-docs /usr/local/bin - - name: Set helm chart appVersion from Version.props - run: | - export VERSION_PROPS=$(awk -F'[<>]' '/VersionPrefix/{print $3}' Version.props) - sed -i -e 's#Version.props#"'${VERSION_PROPS}'"#g' charts/garnet/Chart.yaml +# - name: Set helm chart appVersion from Version.props +# run: | +# export VERSION_PROPS=$(awk -F'[<>]' '/VersionPrefix/{print $3}' Version.props) +# sed -i -e 's#Version.props#"'${VERSION_PROPS}'"#g' charts/garnet/Chart.yaml - - name: Helm lint, helm-docs and helm package - run: | - mkdir .cr-release-packages - for chart in $(find charts -mindepth 1 -maxdepth 1 -type d); do - if [ -z "${chart:-}" ]; then - break - fi - helm lint "${chart}" - helm-docs --document-dependency-values --chart-search-root "${chart}" - helm package "${chart}" --dependency-update --destination .cr-release-packages - done +# - name: Helm lint, helm-docs and helm package +# run: | +# mkdir .cr-release-packages +# for chart in $(find charts -mindepth 1 -maxdepth 1 -type d); do +# if [ -z "${chart:-}" ]; then +# break +# fi +# helm lint "${chart}" +# helm-docs --document-dependency-values --chart-search-root "${chart}" +# helm package "${chart}" --dependency-update --destination .cr-release-packages +# done - - name: Discard changes on the charts/garnet/Chart.yaml file - run: | - git checkout -- charts/garnet/Chart.yaml +# - name: Discard changes on the charts/garnet/Chart.yaml file +# run: | +# git checkout -- charts/garnet/Chart.yaml - - name: Create Pull Request - uses: peter-evans/create-pull-request@v7 - with: - add-paths: charts/garnet/README.md - token: ${{ secrets.GITHUB_TOKEN }} - committer: github-actions[bot] <${{ github.actor }}@users.noreply.github.com> - author: ${{ github.actor }} <${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com> - signoff: false - branch: helm-docs-gen - delete-branch: true - title: '[helm-chart] Update charts/garnet/README.md by helm-docs' - body: | - - Update charts/garnet/README.md - - Auto-generated by [create-pull-request][1] - - [1]: /~https://github.com/peter-evans/create-pull-request - labels: | - helm-chart - automated pr +# - name: Create Pull Request +# uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7 for security reasons have pinned tag (commit SHA) for 3rd party +# with: +# add-paths: charts/garnet/README.md +# token: ${{ secrets.GITHUB_TOKEN }} +# committer: github-actions[bot] <${{ github.actor }}@users.noreply.github.com> +# author: ${{ github.actor }} <${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com> +# signoff: false +# branch: helm-docs-gen +# delete-branch: true +# title: '[helm-chart] Update charts/garnet/README.md by helm-docs' +# body: | +# - Update charts/garnet/README.md +# +# Auto-generated by [create-pull-request][1] +# +# [1]: /~https://github.com/peter-evans/create-pull-request +# labels: | +# helm-chart +# automated pr - name: Login to GHCR env: @@ -89,13 +89,13 @@ jobs: run: | echo "${GITHUB_TOKEN}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin - - name: Push charts to GHCR - run: | - shopt -s nullglob - for pkg in .cr-release-packages/*.tgz; do - if [ -z "${pkg:-}" ]; then - break - fi - helm push "${pkg}" "oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/helm-charts" - done +# - name: Push charts to GHCR +# run: | +# shopt -s nullglob +# for pkg in .cr-release-packages/*.tgz; do +# if [ -z "${pkg:-}" ]; then +# break +# fi +# helm push "${pkg}" "oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/helm-charts" +# done From 365463b63809737e02de77e17609d1194f147b34 Mon Sep 17 00:00:00 2001 From: darrenge Date: Tue, 11 Feb 2025 16:41:41 -0800 Subject: [PATCH 10/13] Enabled the other parts of Helm after testing the changed task --- .github/workflows/helm-chart.yml | 111 +++++++++++++++---------------- 1 file changed, 55 insertions(+), 56 deletions(-) diff --git a/.github/workflows/helm-chart.yml b/.github/workflows/helm-chart.yml index 1665605c33..928bde6432 100644 --- a/.github/workflows/helm-chart.yml +++ b/.github/workflows/helm-chart.yml @@ -32,56 +32,56 @@ jobs: env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" -# - name: Install helm-docs -# env: -# HELM_DOCS_VERSION: "1.14.2" -# run: | -# cd /tmp -# wget /~https://github.com/norwoodj/helm-docs/releases/download/v"${HELM_DOCS_VERSION}"/helm-docs_"${HELM_DOCS_VERSION}"_Linux_x86_64.tar.gz -# tar -xvf helm-docs_"${HELM_DOCS_VERSION}"_Linux_x86_64.tar.gz -# sudo mv helm-docs /usr/local/bin + - name: Install helm-docs + env: + HELM_DOCS_VERSION: "1.14.2" + run: | + cd /tmp + wget /~https://github.com/norwoodj/helm-docs/releases/download/v"${HELM_DOCS_VERSION}"/helm-docs_"${HELM_DOCS_VERSION}"_Linux_x86_64.tar.gz + tar -xvf helm-docs_"${HELM_DOCS_VERSION}"_Linux_x86_64.tar.gz + sudo mv helm-docs /usr/local/bin + + - name: Set helm chart appVersion from Version.props + run: | + export VERSION_PROPS=$(awk -F'[<>]' '/VersionPrefix/{print $3}' Version.props) + sed -i -e 's#Version.props#"'${VERSION_PROPS}'"#g' charts/garnet/Chart.yaml + + - name: Helm lint, helm-docs and helm package + run: | + mkdir .cr-release-packages + for chart in $(find charts -mindepth 1 -maxdepth 1 -type d); do + if [ -z "${chart:-}" ]; then + break + fi + helm lint "${chart}" + helm-docs --document-dependency-values --chart-search-root "${chart}" + helm package "${chart}" --dependency-update --destination .cr-release-packages + done -# - name: Set helm chart appVersion from Version.props -# run: | -# export VERSION_PROPS=$(awk -F'[<>]' '/VersionPrefix/{print $3}' Version.props) -# sed -i -e 's#Version.props#"'${VERSION_PROPS}'"#g' charts/garnet/Chart.yaml + - name: Discard changes on the charts/garnet/Chart.yaml file + run: | + git checkout -- charts/garnet/Chart.yaml -# - name: Helm lint, helm-docs and helm package -# run: | -# mkdir .cr-release-packages -# for chart in $(find charts -mindepth 1 -maxdepth 1 -type d); do -# if [ -z "${chart:-}" ]; then -# break -# fi -# helm lint "${chart}" -# helm-docs --document-dependency-values --chart-search-root "${chart}" -# helm package "${chart}" --dependency-update --destination .cr-release-packages -# done + - name: Create Pull Request + uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7 for security reasons have pinned tag (commit SHA) for 3rd party + with: + add-paths: charts/garnet/README.md + token: ${{ secrets.GITHUB_TOKEN }} + committer: github-actions[bot] <${{ github.actor }}@users.noreply.github.com> + author: ${{ github.actor }} <${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com> + signoff: false + branch: helm-docs-gen + delete-branch: true + title: '[helm-chart] Update charts/garnet/README.md by helm-docs' + body: | + - Update charts/garnet/README.md -# - name: Discard changes on the charts/garnet/Chart.yaml file -# run: | -# git checkout -- charts/garnet/Chart.yaml + Auto-generated by [create-pull-request][1] -# - name: Create Pull Request -# uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7 for security reasons have pinned tag (commit SHA) for 3rd party -# with: -# add-paths: charts/garnet/README.md -# token: ${{ secrets.GITHUB_TOKEN }} -# committer: github-actions[bot] <${{ github.actor }}@users.noreply.github.com> -# author: ${{ github.actor }} <${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com> -# signoff: false -# branch: helm-docs-gen -# delete-branch: true -# title: '[helm-chart] Update charts/garnet/README.md by helm-docs' -# body: | -# - Update charts/garnet/README.md -# -# Auto-generated by [create-pull-request][1] -# -# [1]: /~https://github.com/peter-evans/create-pull-request -# labels: | -# helm-chart -# automated pr + [1]: /~https://github.com/peter-evans/create-pull-request + labels: | + helm-chart + automated pr - name: Login to GHCR env: @@ -89,13 +89,12 @@ jobs: run: | echo "${GITHUB_TOKEN}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin -# - name: Push charts to GHCR -# run: | -# shopt -s nullglob -# for pkg in .cr-release-packages/*.tgz; do -# if [ -z "${pkg:-}" ]; then -# break -# fi -# helm push "${pkg}" "oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/helm-charts" -# done - + - name: Push charts to GHCR + run: | + shopt -s nullglob + for pkg in .cr-release-packages/*.tgz; do + if [ -z "${pkg:-}" ]; then + break + fi + helm push "${pkg}" "oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/helm-charts" + done From 4459a99e2f32275d0ea5bd7acfca1ea88e7af2ba Mon Sep 17 00:00:00 2001 From: darrenge Date: Tue, 11 Feb 2025 16:43:43 -0800 Subject: [PATCH 11/13] Trying to get benchmark-action/github-action-benchmark with commit sha working --- .github/workflows/ci-bdnbenchmark.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-bdnbenchmark.yml b/.github/workflows/ci-bdnbenchmark.yml index 2782ce4130..a0b6921562 100644 --- a/.github/workflows/ci-bdnbenchmark.yml +++ b/.github/workflows/ci-bdnbenchmark.yml @@ -76,7 +76,7 @@ jobs: # Run `github-action-benchmark` action for the Continuous Benchmarking Charts (https://microsoft.github.io/garnet/charts/) - name: Store benchmark result for charts - uses: benchmark-action/github-action-benchmark@v1 # for security reasons have pinned tag (commit SHA) for 3rd party - however, not able to find specific commit SHA that works + uses: benchmark-action/github-action-benchmark@d48d326b4ca9ba73ca0cd0d59f108f9e02a381c7 # v1 for security reasons have pinned tag (commit SHA) for 3rd party with: name: ${{matrix.test}} (${{matrix.os}} ${{matrix.framework}} ${{matrix.configuration}}) tool: 'benchmarkdotnet' From 68293b61e772ecaefe2c4d8646278653bf27afe6 Mon Sep 17 00:00:00 2001 From: darrenge Date: Tue, 11 Feb 2025 17:35:31 -0800 Subject: [PATCH 12/13] Removed the Create Pull Request task as security policy won't allow it any more. There was a fix for the Unpinned Tag in that section, so remove the task will also remove that security issue. --- .github/workflows/helm-chart.yml | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/.github/workflows/helm-chart.yml b/.github/workflows/helm-chart.yml index 928bde6432..66647f1675 100644 --- a/.github/workflows/helm-chart.yml +++ b/.github/workflows/helm-chart.yml @@ -62,27 +62,6 @@ jobs: run: | git checkout -- charts/garnet/Chart.yaml - - name: Create Pull Request - uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7 for security reasons have pinned tag (commit SHA) for 3rd party - with: - add-paths: charts/garnet/README.md - token: ${{ secrets.GITHUB_TOKEN }} - committer: github-actions[bot] <${{ github.actor }}@users.noreply.github.com> - author: ${{ github.actor }} <${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com> - signoff: false - branch: helm-docs-gen - delete-branch: true - title: '[helm-chart] Update charts/garnet/README.md by helm-docs' - body: | - - Update charts/garnet/README.md - - Auto-generated by [create-pull-request][1] - - [1]: /~https://github.com/peter-evans/create-pull-request - labels: | - helm-chart - automated pr - - name: Login to GHCR env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" From 06763d99e991a70e642a400ee8af1776c9ed2bed Mon Sep 17 00:00:00 2001 From: darrenge Date: Wed, 12 Feb 2025 09:46:12 -0800 Subject: [PATCH 13/13] Putting Create Pull Request task back as might not be right move to delete whole thing. It does still have the security fix in it. --- .github/workflows/helm-chart.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/.github/workflows/helm-chart.yml b/.github/workflows/helm-chart.yml index 66647f1675..928bde6432 100644 --- a/.github/workflows/helm-chart.yml +++ b/.github/workflows/helm-chart.yml @@ -62,6 +62,27 @@ jobs: run: | git checkout -- charts/garnet/Chart.yaml + - name: Create Pull Request + uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7 for security reasons have pinned tag (commit SHA) for 3rd party + with: + add-paths: charts/garnet/README.md + token: ${{ secrets.GITHUB_TOKEN }} + committer: github-actions[bot] <${{ github.actor }}@users.noreply.github.com> + author: ${{ github.actor }} <${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com> + signoff: false + branch: helm-docs-gen + delete-branch: true + title: '[helm-chart] Update charts/garnet/README.md by helm-docs' + body: | + - Update charts/garnet/README.md + + Auto-generated by [create-pull-request][1] + + [1]: /~https://github.com/peter-evans/create-pull-request + labels: | + helm-chart + automated pr + - name: Login to GHCR env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"