Project

General

Profile

Actions

Feature #21659

closed

Github integration test check workflow 21659-gh-workflow-tests

Added by Stephen Smith 9 months ago. Updated 8 months ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Story points:
-
Release:
Release relationship:
Auto

Description

Branch 21659-gh-workflow-tests , tested on my github branch with a few example PRs: https://github.com/stephen304/arvados/pulls

Here is a proposed github workflow that runs the wb2 integration tests using the cypress in docker method. It takes an extra 10 minutes because it builds the workbench2-build container each time (since it's not pushed anywhere) but that doesn't seem like it would matter for the occasional dependabot or external PR.

The workflow is triggered on every PR

Security considerations:
  • Used actions are pinned to specific github action hashes
    • Prevents vulnerabilities from being introduced by the creators of the actions - will not auto update
    • Repo settings can also restrict used actions to a specific list, this would prevent a PR from changing the used actions to something malicious, ex:
      actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11,
      addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185,
      docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0,
      docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb,
      
  • The repo settings can also disable write access to the repo under Actions > Workflow permissions, as well as unchecking the allow actions to create/approve PRs option
    • This way even if a malicious PR was approved to run workflows it wouldn't have any ability to change anything in the repo
  • Also secrets and repo variables aren't passed to runs triggered by fork PRs, so those should be safe too

Subtasks 1 (0 open1 closed)

Task #21667: Review 21659-gh-workflow-testsResolvedStephen Smith04/11/2024Actions
Actions #1

Updated by Stephen Smith 9 months ago

  • Description updated (diff)
  • Subject changed from Github integration test check workflow to Github integration test check workflow 21659-gh-workflow-tests
Actions #2

Updated by Stephen Smith 9 months ago

  • Description updated (diff)
Actions #3

Updated by Peter Amstutz 8 months ago

  • Target version changed from Future to Development 2024-04-24 sprint
Actions #4

Updated by Stephen Smith 8 months ago

  • Description updated (diff)
Actions #5

Updated by Peter Amstutz 8 months ago

  • Assigned To set to Stephen Smith
Actions #6

Updated by Lucas Di Pentima 8 months ago

Branch 21659-gh-workflow-tests LGTM. I've set workflows read only permissions to Github's repo. Thanks!

Actions #7

Updated by Stephen Smith 8 months ago

  • Status changed from New to Resolved
Actions #8

Updated by Peter Amstutz 8 months ago

  • Release set to 70
Actions

Also available in: Atom PDF