From e1944739e9fa9b303968b1600ef35e115f388be3 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Thu, 11 Jan 2024 11:07:29 +0100 Subject: [PATCH 1/6] ci: restrict token permissions and pin deps --- .github/workflows/_pr_entrypoint.yaml | 9 ++- .github/workflows/_push-entrypoint.yaml | 9 ++- .../build_and_push_docker_images.yaml | 10 ++-- .github/workflows/build_docker_for_test.yaml | 4 +- .github/workflows/build_packages.yaml | 15 +++-- .github/workflows/build_packages_cron.yaml | 15 +++-- .github/workflows/build_slim_packages.yaml | 13 ++-- .github/workflows/check_deps_integrity.yaml | 4 +- .github/workflows/codeql.yaml | 2 +- .github/workflows/green_master.yaml | 2 +- .github/workflows/performance_test.yaml | 60 +++++++++---------- .github/workflows/release.yaml | 6 +- .github/workflows/run_conf_tests.yaml | 4 +- .github/workflows/run_docker_tests.yaml | 8 +-- .github/workflows/run_emqx_app_tests.yaml | 4 +- .github/workflows/run_helm_tests.yaml | 6 +- .github/workflows/run_jmeter_tests.yaml | 27 +++++---- .github/workflows/run_relup_tests.yaml | 12 ++-- .github/workflows/run_test_cases.yaml | 23 +++---- .github/workflows/scorecard.yaml | 6 +- .github/workflows/spellcheck.yaml | 2 +- .github/workflows/stale.yaml | 2 +- .github/workflows/static_checks.yaml | 4 +- .github/workflows/upload-helm-charts.yaml | 7 ++- scripts/bump-actions-versions.sh | 21 +++++++ 25 files changed, 160 insertions(+), 115 deletions(-) create mode 100755 scripts/bump-actions-versions.sh diff --git a/.github/workflows/_pr_entrypoint.yaml b/.github/workflows/_pr_entrypoint.yaml index c147143c3..7d7faa8f9 100644 --- a/.github/workflows/_pr_entrypoint.yaml +++ b/.github/workflows/_pr_entrypoint.yaml @@ -14,6 +14,9 @@ on: env: IS_CI: "yes" +permissions: + contents: read + jobs: sanity-checks: runs-on: ubuntu-22.04 @@ -30,7 +33,7 @@ jobs: elixir_vsn: "1.15.7" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.inputs.ref }} fetch-depth: 0 @@ -125,7 +128,7 @@ jobs: - emqx-enterprise steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Work around https://github.com/actions/checkout/issues/766 @@ -141,7 +144,7 @@ jobs: echo "PROFILE=${PROFILE}" | tee -a .env echo "PKG_VSN=$(./pkg-vsn.sh ${PROFILE})" | tee -a .env zip -ryq -x@.github/workflows/.zipignore $PROFILE.zip . - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: ${{ matrix.profile }} path: ${{ matrix.profile }}.zip diff --git a/.github/workflows/_push-entrypoint.yaml b/.github/workflows/_push-entrypoint.yaml index 55dd5997b..1e0dd941b 100644 --- a/.github/workflows/_push-entrypoint.yaml +++ b/.github/workflows/_push-entrypoint.yaml @@ -14,6 +14,9 @@ on: - 'release-5[0-9]' - 'ci/**' +permissions: + contents: read + env: IS_CI: 'yes' @@ -35,7 +38,7 @@ jobs: elixir_vsn: '1.15.7' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.inputs.ref }} fetch-depth: 0 @@ -133,7 +136,7 @@ jobs: - emqx-enterprise steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.inputs.ref }} fetch-depth: 0 @@ -149,7 +152,7 @@ jobs: echo "PROFILE=${PROFILE}" | tee -a .env echo "PKG_VSN=$(./pkg-vsn.sh ${PROFILE})" | tee -a .env zip -ryq -x@.github/workflows/.zipignore $PROFILE.zip . - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: ${{ matrix.profile }} path: ${{ matrix.profile }}.zip diff --git a/.github/workflows/build_and_push_docker_images.yaml b/.github/workflows/build_and_push_docker_images.yaml index ce5115018..49416db92 100644 --- a/.github/workflows/build_and_push_docker_images.yaml +++ b/.github/workflows/build_and_push_docker_images.yaml @@ -91,23 +91,23 @@ jobs: registry: 'public.ecr.aws' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.inputs.ref }} fetch-depth: 0 - - uses: docker/setup-qemu-action@v2 - - uses: docker/setup-buildx-action@v2 + - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - name: Login to hub.docker.com - uses: docker/login-action@v2 + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 if: matrix.registry == 'docker.io' with: username: ${{ secrets.DOCKER_HUB_USER }} password: ${{ secrets.DOCKER_HUB_TOKEN }} - name: Login to AWS ECR - uses: docker/login-action@v2 + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 if: matrix.registry == 'public.ecr.aws' with: registry: public.ecr.aws diff --git a/.github/workflows/build_docker_for_test.yaml b/.github/workflows/build_docker_for_test.yaml index a4bc58da2..ccff642f9 100644 --- a/.github/workflows/build_docker_for_test.yaml +++ b/.github/workflows/build_docker_for_test.yaml @@ -42,7 +42,7 @@ jobs: - emqx-enterprise-elixir steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: build and export to Docker id: build run: | @@ -57,7 +57,7 @@ jobs: - name: export docker image run: | docker save $EMQX_IMAGE_TAG | gzip > $EMQX_NAME-docker-$PKG_VSN.tar.gz - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: "${{ env.EMQX_NAME }}-docker" path: "${{ env.EMQX_NAME }}-docker-${{ env.PKG_VSN }}.tar.gz" diff --git a/.github/workflows/build_packages.yaml b/.github/workflows/build_packages.yaml index c1edb516a..fad200a93 100644 --- a/.github/workflows/build_packages.yaml +++ b/.github/workflows/build_packages.yaml @@ -64,6 +64,9 @@ on: type: string default: '5.3-2' +permissions: + contents: read + jobs: mac: strategy: @@ -80,7 +83,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - uses: emqx/self-hosted-cleanup-action@v1.0.3 - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.inputs.ref }} fetch-depth: 0 @@ -93,7 +96,7 @@ jobs: apple_developer_identity: ${{ secrets.APPLE_DEVELOPER_IDENTITY }} apple_developer_id_bundle: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE }} apple_developer_id_bundle_password: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE_PASSWORD }} - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: success() with: name: ${{ matrix.profile }} @@ -149,7 +152,7 @@ jobs: shell: bash steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.inputs.ref }} fetch-depth: 0 @@ -190,7 +193,7 @@ jobs: ./scripts/pkg-tests.sh "${PROFILE}-tgz" ./scripts/pkg-tests.sh "${PROFILE}-pkg" fi - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: ${{ matrix.profile }} path: _packages/${{ matrix.profile }}/ @@ -208,7 +211,7 @@ jobs: profile: - ${{ inputs.profile }} steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: ${{ matrix.profile }} path: packages/${{ matrix.profile }} @@ -224,7 +227,7 @@ jobs: echo "$(cat $var.sha256) $var" | sha256sum -c || exit 1 done cd - - - uses: aws-actions/configure-aws-credentials@v2 + - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} diff --git a/.github/workflows/build_packages_cron.yaml b/.github/workflows/build_packages_cron.yaml index 8e4ce3a40..ee3be30a2 100644 --- a/.github/workflows/build_packages_cron.yaml +++ b/.github/workflows/build_packages_cron.yaml @@ -9,6 +9,9 @@ on: - cron: '0 */6 * * *' workflow_dispatch: +permissions: + contents: read + jobs: linux: if: github.repository_owner == 'emqx' @@ -32,7 +35,7 @@ jobs: shell: bash steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ matrix.profile[1] }} fetch-depth: 0 @@ -63,14 +66,14 @@ jobs: set -eu ./scripts/pkg-tests.sh "${PROFILE}-tgz" ./scripts/pkg-tests.sh "${PROFILE}-pkg" - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: success() with: name: ${{ matrix.profile[0] }} path: _packages/${{ matrix.profile[0] }}/ retention-days: 7 - name: Send notification to Slack - uses: slackapi/slack-github-action@v1.23.0 + uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 if: failure() env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} @@ -95,7 +98,7 @@ jobs: - macos-12-arm64 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ matrix.branch }} fetch-depth: 0 @@ -108,14 +111,14 @@ jobs: apple_developer_identity: ${{ secrets.APPLE_DEVELOPER_IDENTITY }} apple_developer_id_bundle: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE }} apple_developer_id_bundle_password: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE_PASSWORD }} - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: success() with: name: ${{ matrix.profile }} path: _packages/${{ matrix.profile }}/ retention-days: 7 - name: Send notification to Slack - uses: slackapi/slack-github-action@v1.23.0 + uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 if: failure() env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.github/workflows/build_slim_packages.yaml b/.github/workflows/build_slim_packages.yaml index 92fd61d09..bce20191b 100644 --- a/.github/workflows/build_slim_packages.yaml +++ b/.github/workflows/build_slim_packages.yaml @@ -41,6 +41,9 @@ on: type: string default: '1.15.7' +permissions: + contents: read + jobs: linux: runs-on: ${{ github.repository_owner == 'emqx' && fromJSON(format('["self-hosted","ephemeral","linux","{0}"]', matrix.profile[4])) || 'ubuntu-22.04' }} @@ -58,7 +61,7 @@ jobs: container: "ghcr.io/emqx/emqx-builder/${{ inputs.builder_vsn }}:${{ inputs.elixir_vsn }}-${{ matrix.profile[1] }}-${{ matrix.profile[2] }}" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Work around https://github.com/actions/checkout/issues/766 @@ -85,12 +88,12 @@ jobs: run: | make ${EMQX_NAME}-elixir-pkg ./scripts/pkg-tests.sh ${EMQX_NAME}-elixir-pkg - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: "${{ matrix.profile[0] }}-${{ matrix.profile[1] }}-${{ matrix.profile[2] }}" path: _packages/${{ matrix.profile[0] }}/* retention-days: 7 - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: "${{ matrix.profile[0] }}_schema_dump" path: | @@ -114,7 +117,7 @@ jobs: EMQX_NAME: ${{ matrix.profile }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./.github/actions/package-macos with: profile: ${{ matrix.profile }} @@ -124,7 +127,7 @@ jobs: apple_developer_identity: ${{ secrets.APPLE_DEVELOPER_IDENTITY }} apple_developer_id_bundle: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE }} apple_developer_id_bundle_password: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE_PASSWORD }} - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: ${{ matrix.os }} path: _packages/**/* diff --git a/.github/workflows/check_deps_integrity.yaml b/.github/workflows/check_deps_integrity.yaml index 5b83ab063..30d788500 100644 --- a/.github/workflows/check_deps_integrity.yaml +++ b/.github/workflows/check_deps_integrity.yaml @@ -15,7 +15,7 @@ jobs: runs-on: ${{ endsWith(github.repository, '/emqx') && 'ubuntu-22.04' || fromJSON('["self-hosted","ephemeral","linux","x64"]') }} container: ${{ inputs.builder }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - run: make ensure-rebar3 - run: ./scripts/check-deps-integrity.escript @@ -36,7 +36,7 @@ jobs: MIX_ENV: emqx-enterprise PROFILE: emqx-enterprise - name: Upload produced lock files - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: failure() with: name: produced_lock_files diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 17aacedfb..accdbe657 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -29,7 +29,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.inputs.ref }} diff --git a/.github/workflows/green_master.yaml b/.github/workflows/green_master.yaml index 0d938f6cd..ed239cf93 100644 --- a/.github/workflows/green_master.yaml +++ b/.github/workflows/green_master.yaml @@ -22,7 +22,7 @@ jobs: checks: read actions: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.inputs.ref || 'master' }} diff --git a/.github/workflows/performance_test.yaml b/.github/workflows/performance_test.yaml index d2b0f75a2..ede8abf07 100644 --- a/.github/workflows/performance_test.yaml +++ b/.github/workflows/performance_test.yaml @@ -32,7 +32,7 @@ jobs: PACKAGE_FILE: ${{ steps.package_file.outputs.PACKAGE_FILE }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 ref: ${{ github.event.inputs.ref }} @@ -52,7 +52,7 @@ jobs: id: package_file run: | echo "PACKAGE_FILE=$(find _packages/emqx -name 'emqx-*.deb' | head -n 1 | xargs basename)" >> $GITHUB_OUTPUT - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: emqx-ubuntu20.04 path: _packages/emqx/${{ steps.package_file.outputs.PACKAGE_FILE }} @@ -66,23 +66,23 @@ jobs: steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_PERF_TEST }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_PERF_TEST }} aws-region: eu-west-1 - name: Checkout tf-emqx-performance-test - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: emqx/tf-emqx-performance-test path: tf-emqx-performance-test ref: v0.2.3 - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: emqx-ubuntu20.04 path: tf-emqx-performance-test/ - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 + uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0 with: terraform_wrapper: false - name: run scenario @@ -105,7 +105,7 @@ jobs: terraform destroy -auto-approve aws s3 sync --exclude '*' --include '*.tar.gz' s3://$TF_VAR_s3_bucket_name/$TF_VAR_bench_id . - name: Send notification to Slack - uses: slackapi/slack-github-action@v1.24.0 + uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 with: payload-file-path: "./tf-emqx-performance-test/slack-payload.json" - name: terraform destroy @@ -113,13 +113,13 @@ jobs: working-directory: ./tf-emqx-performance-test run: | terraform destroy -auto-approve - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: success() with: name: metrics path: | "./tf-emqx-performance-test/*.tar.gz" - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: failure() with: name: terraform @@ -137,23 +137,23 @@ jobs: steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_PERF_TEST }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_PERF_TEST }} aws-region: eu-west-1 - name: Checkout tf-emqx-performance-test - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: emqx/tf-emqx-performance-test path: tf-emqx-performance-test ref: v0.2.3 - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: emqx-ubuntu20.04 path: tf-emqx-performance-test/ - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 + uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0 with: terraform_wrapper: false - name: run scenario @@ -176,7 +176,7 @@ jobs: terraform destroy -auto-approve aws s3 sync --exclude '*' --include '*.tar.gz' s3://$TF_VAR_s3_bucket_name/$TF_VAR_bench_id . - name: Send notification to Slack - uses: slackapi/slack-github-action@v1.24.0 + uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 with: payload-file-path: "./tf-emqx-performance-test/slack-payload.json" - name: terraform destroy @@ -184,13 +184,13 @@ jobs: working-directory: ./tf-emqx-performance-test run: | terraform destroy -auto-approve - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: success() with: name: metrics path: | "./tf-emqx-performance-test/*.tar.gz" - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: failure() with: name: terraform @@ -209,23 +209,23 @@ jobs: steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_PERF_TEST }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_PERF_TEST }} aws-region: eu-west-1 - name: Checkout tf-emqx-performance-test - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: emqx/tf-emqx-performance-test path: tf-emqx-performance-test ref: v0.2.3 - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: emqx-ubuntu20.04 path: tf-emqx-performance-test/ - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 + uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0 with: terraform_wrapper: false - name: run scenario @@ -249,7 +249,7 @@ jobs: terraform destroy -auto-approve aws s3 sync --exclude '*' --include '*.tar.gz' s3://$TF_VAR_s3_bucket_name/$TF_VAR_bench_id . - name: Send notification to Slack - uses: slackapi/slack-github-action@v1.24.0 + uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 with: payload-file-path: "./tf-emqx-performance-test/slack-payload.json" - name: terraform destroy @@ -257,13 +257,13 @@ jobs: working-directory: ./tf-emqx-performance-test run: | terraform destroy -auto-approve - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: success() with: name: metrics path: | "./tf-emqx-performance-test/*.tar.gz" - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: failure() with: name: terraform @@ -283,23 +283,23 @@ jobs: steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_PERF_TEST }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_PERF_TEST }} aws-region: eu-west-1 - name: Checkout tf-emqx-performance-test - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: emqx/tf-emqx-performance-test path: tf-emqx-performance-test ref: v0.2.3 - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: emqx-ubuntu20.04 path: tf-emqx-performance-test/ - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 + uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0 with: terraform_wrapper: false - name: run scenario @@ -322,7 +322,7 @@ jobs: terraform destroy -auto-approve aws s3 sync --exclude '*' --include '*.tar.gz' s3://$TF_VAR_s3_bucket_name/$TF_VAR_bench_id . - name: Send notification to Slack - uses: slackapi/slack-github-action@v1.24.0 + uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 with: payload-file-path: "./tf-emqx-performance-test/slack-payload.json" - name: terraform destroy @@ -330,13 +330,13 @@ jobs: working-directory: ./tf-emqx-performance-test run: | terraform destroy -auto-approve - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: success() with: name: metrics path: | "./tf-emqx-performance-test/*.tar.gz" - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: failure() with: name: terraform diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 4a0d0403f..2f441af88 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -31,12 +31,12 @@ jobs: strategy: fail-fast: false steps: - - uses: aws-actions/configure-aws-credentials@v2 + - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.inputs.tag }} - name: Detect profile @@ -132,7 +132,7 @@ jobs: checks: write actions: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: trigger re-run of app versions check on open PRs shell: bash env: diff --git a/.github/workflows/run_conf_tests.yaml b/.github/workflows/run_conf_tests.yaml index fc12787a8..5580ad520 100644 --- a/.github/workflows/run_conf_tests.yaml +++ b/.github/workflows/run_conf_tests.yaml @@ -25,7 +25,7 @@ jobs: - emqx - emqx-enterprise steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: ${{ matrix.profile }} - name: extract artifact @@ -40,7 +40,7 @@ jobs: if: failure() run: | cat _build/${{ matrix.profile }}/rel/emqx/logs/erlang.log.* - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: failure() with: name: logs-${{ matrix.profile }} diff --git a/.github/workflows/run_docker_tests.yaml b/.github/workflows/run_docker_tests.yaml index a36806e9e..9315ac815 100644 --- a/.github/workflows/run_docker_tests.yaml +++ b/.github/workflows/run_docker_tests.yaml @@ -36,8 +36,8 @@ jobs: EMQX_IMAGE_OLD_VERSION_TAG: ${{ matrix.profile[1] }} steps: - - uses: actions/checkout@v3 - - uses: actions/download-artifact@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: ${{ env.EMQX_NAME }}-docker path: /tmp @@ -83,8 +83,8 @@ jobs: - mnesia - rlog steps: - - uses: actions/checkout@v3 - - uses: actions/download-artifact@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: ${{ env.EMQX_NAME }}-docker path: /tmp diff --git a/.github/workflows/run_emqx_app_tests.yaml b/.github/workflows/run_emqx_app_tests.yaml index 88e8e951a..f7c645aeb 100644 --- a/.github/workflows/run_emqx_app_tests.yaml +++ b/.github/workflows/run_emqx_app_tests.yaml @@ -36,7 +36,7 @@ jobs: shell: bash steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: run @@ -58,7 +58,7 @@ jobs: ./rebar3 eunit -v --name 'eunit@127.0.0.1' ./rebar3 as standalone_test ct --name 'test@127.0.0.1' -v --readable=true ./rebar3 proper -d test/props - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: failure() with: name: logs-emqx-app-tests diff --git a/.github/workflows/run_helm_tests.yaml b/.github/workflows/run_helm_tests.yaml index e191100c4..e9ea3184f 100644 --- a/.github/workflows/run_helm_tests.yaml +++ b/.github/workflows/run_helm_tests.yaml @@ -42,10 +42,10 @@ jobs: - ssl1.3 - ssl1.2 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: source - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: "${{ env.EMQX_NAME }}-docker" path: /tmp @@ -165,7 +165,7 @@ jobs: fi sleep 1; done - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: emqx/paho.mqtt.testing ref: develop-5.0 diff --git a/.github/workflows/run_jmeter_tests.yaml b/.github/workflows/run_jmeter_tests.yaml index 0f22c6e84..e46a0b98e 100644 --- a/.github/workflows/run_jmeter_tests.yaml +++ b/.github/workflows/run_jmeter_tests.yaml @@ -7,13 +7,16 @@ on: required: true type: string +permissions: + contents: read + jobs: jmeter_artifact: runs-on: ${{ endsWith(github.repository, '/emqx') && 'ubuntu-22.04' || fromJSON('["self-hosted","ephemeral","linux","x64"]') }} steps: - name: Cache Jmeter id: cache-jmeter - uses: actions/cache@v3 + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: /tmp/apache-jmeter.tgz key: apache-jmeter-5.4.3.tgz @@ -32,7 +35,7 @@ jobs: else wget --no-verbose --no-check-certificate -O /tmp/apache-jmeter.tgz $ARCHIVE_URL fi - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: apache-jmeter.tgz path: /tmp/apache-jmeter.tgz @@ -52,7 +55,7 @@ jobs: needs: jmeter_artifact steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./.github/actions/prepare-jmeter with: version-emqx: ${{ inputs.version-emqx }} @@ -83,7 +86,7 @@ jobs: echo "check logs failed" exit 1 fi - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: always() with: name: jmeter_logs @@ -108,7 +111,7 @@ jobs: needs: jmeter_artifact steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./.github/actions/prepare-jmeter with: version-emqx: ${{ inputs.version-emqx }} @@ -150,7 +153,7 @@ jobs: if: failure() run: | docker compose -f .ci/docker-compose-file/docker-compose-emqx-cluster.yaml logs --no-color > ./jmeter_logs/emqx.log - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: always() with: name: jmeter_logs @@ -172,7 +175,7 @@ jobs: needs: jmeter_artifact steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./.github/actions/prepare-jmeter with: version-emqx: ${{ inputs.version-emqx }} @@ -210,7 +213,7 @@ jobs: echo "check logs failed" exit 1 fi - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: always() with: name: jmeter_logs @@ -228,7 +231,7 @@ jobs: needs: jmeter_artifact steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./.github/actions/prepare-jmeter with: version-emqx: ${{ inputs.version-emqx }} @@ -262,7 +265,7 @@ jobs: echo "check logs failed" exit 1 fi - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: always() with: name: jmeter_logs @@ -281,7 +284,7 @@ jobs: needs: jmeter_artifact steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./.github/actions/prepare-jmeter with: version-emqx: ${{ inputs.version-emqx }} @@ -306,7 +309,7 @@ jobs: echo "check logs failed" exit 1 fi - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: always() with: name: jmeter_logs diff --git a/.github/workflows/run_relup_tests.yaml b/.github/workflows/run_relup_tests.yaml index 09638f51a..a93cee416 100644 --- a/.github/workflows/run_relup_tests.yaml +++ b/.github/workflows/run_relup_tests.yaml @@ -25,7 +25,7 @@ jobs: run: shell: bash steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: emqx-enterprise - name: extract artifact @@ -45,7 +45,7 @@ jobs: run: | export PROFILE='emqx-enterprise' make emqx-enterprise-tgz - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 name: Upload built emqx and test scenario with: name: emqx_built @@ -72,10 +72,10 @@ jobs: run: shell: bash steps: - - uses: erlef/setup-beam@v1.16.0 + - uses: erlef/setup-beam@a34c98fd51e370b4d4981854aba1eb817ce4e483 # v1.17.0 with: otp-version: 26.2.1 - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: hawk/lux ref: lux-2.8.1 @@ -88,7 +88,7 @@ jobs: ./configure make echo "$(pwd)/bin" >> $GITHUB_PATH - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 name: Download built emqx and test scenario with: name: emqx_built @@ -111,7 +111,7 @@ jobs: docker logs node2.emqx.io | tee lux_logs/emqx2.log exit 1 fi - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 name: Save debug data if: failure() with: diff --git a/.github/workflows/run_test_cases.yaml b/.github/workflows/run_test_cases.yaml index 788b992c7..0df6fa0f0 100644 --- a/.github/workflows/run_test_cases.yaml +++ b/.github/workflows/run_test_cases.yaml @@ -20,6 +20,9 @@ on: required: true type: string +permissions: + contents: read + env: IS_CI: "yes" @@ -38,7 +41,7 @@ jobs: container: "ghcr.io/emqx/emqx-builder/${{ matrix.builder }}:${{ matrix.elixir }}-${{ matrix.otp }}-ubuntu22.04" steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: ${{ matrix.profile }} - name: extract artifact @@ -61,7 +64,7 @@ jobs: CT_COVER_EXPORT_PREFIX: ${{ matrix.profile }}-${{ matrix.otp }} run: make proper - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: coverdata path: _build/test/cover @@ -80,7 +83,7 @@ jobs: shell: bash steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: ${{ matrix.profile }} - name: extract artifact @@ -105,7 +108,7 @@ jobs: ENABLE_COVER_COMPILE: 1 CT_COVER_EXPORT_PREFIX: ${{ matrix.profile }}-${{ matrix.otp }}-sg${{ matrix.suitegroup }} run: ./scripts/ct/run.sh --ci --app ${{ matrix.app }} - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: coverdata path: _build/test/cover @@ -113,7 +116,7 @@ jobs: - name: compress logs if: failure() run: tar -czf logs.tar.gz _build/test/logs - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: failure() with: name: logs-${{ matrix.profile }}-${{ matrix.prefix }}-${{ matrix.otp }}-sg${{ matrix.suitegroup }} @@ -134,7 +137,7 @@ jobs: shell: bash steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: ${{ matrix.profile }} - name: extract artifact @@ -151,7 +154,7 @@ jobs: CT_COVER_EXPORT_PREFIX: ${{ matrix.profile }}-${{ matrix.otp }}-sg${{ matrix.suitegroup }} run: | make "${{ matrix.app }}-ct" - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: coverdata path: _build/test/cover @@ -160,7 +163,7 @@ jobs: - name: compress logs if: failure() run: tar -czf logs.tar.gz _build/test/logs - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: failure() with: name: logs-${{ matrix.profile }}-${{ matrix.prefix }}-${{ matrix.otp }}-sg${{ matrix.suitegroup }} @@ -191,7 +194,7 @@ jobs: profile: - emqx-enterprise steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: ${{ matrix.profile }} - name: extract artifact @@ -199,7 +202,7 @@ jobs: unzip -o -q ${{ matrix.profile }}.zip git config --global --add safe.directory "$GITHUB_WORKSPACE" - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 name: download coverdata with: name: coverdata diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 29f6610ce..228dafe20 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -23,12 +23,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0 + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 with: results_file: results.sarif results_format: sarif @@ -38,7 +38,7 @@ jobs: publish_results: true - name: "Upload artifact" - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/spellcheck.yaml b/.github/workflows/spellcheck.yaml index 4fecadd31..e03a89c50 100644 --- a/.github/workflows/spellcheck.yaml +++ b/.github/workflows/spellcheck.yaml @@ -19,7 +19,7 @@ jobs: - emqx-enterprise runs-on: ${{ endsWith(github.repository, '/emqx') && 'ubuntu-22.04' || fromJSON('["self-hosted","ephemeral","linux","x64"]') }} steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: "${{ matrix.profile }}_schema_dump" path: /tmp/ diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index 5dcb4a5fa..11afc7415 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -21,7 +21,7 @@ jobs: steps: - name: Close Stale Issues - uses: actions/stale@v6 + uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: days-before-stale: 7 days-before-close: 7 diff --git a/.github/workflows/static_checks.yaml b/.github/workflows/static_checks.yaml index 29c8384a0..a092210c8 100644 --- a/.github/workflows/static_checks.yaml +++ b/.github/workflows/static_checks.yaml @@ -30,14 +30,14 @@ jobs: include: ${{ fromJson(inputs.ct-matrix) }} container: "ghcr.io/emqx/emqx-builder/${{ matrix.builder }}:${{ matrix.elixir }}-${{ matrix.otp }}-ubuntu22.04" steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: ${{ matrix.profile }} - name: extract artifact run: | unzip -o -q ${{ matrix.profile }}.zip git config --global --add safe.directory "$GITHUB_WORKSPACE" - - uses: actions/cache@v3 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: "emqx_dialyzer_${{ matrix.otp }}_plt" key: rebar3-dialyzer-plt-${{ matrix.profile }}-${{ matrix.otp }}-${{ hashFiles('rebar.*', 'apps/*/rebar.*') }} diff --git a/.github/workflows/upload-helm-charts.yaml b/.github/workflows/upload-helm-charts.yaml index 44261d137..2fb26b412 100644 --- a/.github/workflows/upload-helm-charts.yaml +++ b/.github/workflows/upload-helm-charts.yaml @@ -9,18 +9,21 @@ on: type: string required: true +permissions: + contents: read + jobs: upload: runs-on: ubuntu-22.04 strategy: fail-fast: false steps: - - uses: aws-actions/configure-aws-credentials@v2 + - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.inputs.tag }} - name: Detect profile diff --git a/scripts/bump-actions-versions.sh b/scripts/bump-actions-versions.sh new file mode 100755 index 000000000..61731fe2b --- /dev/null +++ b/scripts/bump-actions-versions.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +set -euo pipefail + +actions=( 'actions/checkout' 'actions/cache' 'actions/stale' 'actions/upload-artifact' 'actions/download-artifact' 'aws-actions/configure-aws-credentials' 'ossf/scorecard-action' 'erlef/setup-beam' 'slackapi/slack-github-action' 'hashicorp/setup-terraform' 'docker/login-action' 'docker/setup-buildx-action' 'docker/setup-qemu-action' ) +for a in "${actions[@]}"; do + # shellcheck disable=SC2086 + TAG=$(curl -sSfL -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/repos/$a/releases/latest | jq -r '.tag_name') + # shellcheck disable=SC2086 + TAG_OBJECT=$(curl -sSfL -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/repos/$a/git/ref/tags/$TAG) + if [ "$(echo "${TAG_OBJECT}" | jq -r '.object.type')" = "commit" ]; then + COMMIT_SHA=$(echo "${TAG_OBJECT}" | jq -r '.object.sha') + else + TAG_SHA=$(echo "${TAG_OBJECT}" | jq -r '.object.sha') + # shellcheck disable=SC2086 + COMMIT_SHA=$(curl -sSfL -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/repos/$a/git/tags/$TAG_SHA | jq -r '.object.sha') + fi + echo "Bumping $a to $TAG ($COMMIT_SHA)" + sed -i.bak -e "s|uses: $a.*$|uses: $a@$COMMIT_SHA # $TAG|g" .github/workflows/*.yaml + rm .github/workflows/*.bak +done From b2a6e94961545d19b715825549430cac186d79cd Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Thu, 11 Jan 2024 11:24:55 +0100 Subject: [PATCH 2/6] ci: enable dependabot --- .github/dependabot.yml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..4dced5320 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,32 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: "/" + reviewers: + - "emqx/emqx-review-board" + schedule: + interval: weekly + groups: + actions: + patterns: + - "*" + - package-ecosystem: github-actions + directory: "/.github/actions/package-macos/" # All subdirectories outside of "/.github/workflows" must be explicitly included. + reviewers: + - "emqx/emqx-review-board" + schedule: + interval: weekly + groups: + actions-package-macos: + patterns: + - "*" + - package-ecosystem: github-actions + directory: "/.github/actions/prepare-jmeter/" # All subdirectories outside of "/.github/workflows" must be explicitly included. + reviewers: + - "emqx/emqx-review-board" + schedule: + interval: weekly + groups: + actions-prepare-jmeter: + patterns: + - "*" From 06b7d8c2937540a441335ccc98cb3413a27c0540 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Thu, 11 Jan 2024 11:28:24 +0100 Subject: [PATCH 3/6] ci: run CodeQL on release-54 as well as on master --- .github/workflows/codeql.yaml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index accdbe657..9021d0c86 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -4,9 +4,6 @@ on: schedule: - cron: '33 14 * * 4' workflow_dispatch: - inputs: - ref: - required: false permissions: contents: read @@ -25,13 +22,18 @@ jobs: strategy: fail-fast: false matrix: - language: [ 'cpp', 'python' ] + branch: + - master + - release-54 + language: + - cpp + - python steps: - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - ref: ${{ github.event.inputs.ref }} + ref: ${{ matrix.branch }} - name: Ensure git safe dir run: | From bd6375e2cf3a7b2ef024727cd442957870a56314 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Thu, 11 Jan 2024 12:52:04 +0100 Subject: [PATCH 4/6] ci: bump actions versions in local actions --- .github/actions/package-macos/action.yaml | 2 +- .github/actions/prepare-jmeter/action.yaml | 8 ++++---- scripts/bump-actions-versions.sh | 4 +++- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/actions/package-macos/action.yaml b/.github/actions/package-macos/action.yaml index a2d89ac54..bae335cf0 100644 --- a/.github/actions/package-macos/action.yaml +++ b/.github/actions/package-macos/action.yaml @@ -51,7 +51,7 @@ runs: echo "SELF_HOSTED=false" >> $GITHUB_OUTPUT ;; esac - - uses: actions/cache@v3 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 id: cache if: steps.prepare.outputs.SELF_HOSTED != 'true' with: diff --git a/.github/actions/prepare-jmeter/action.yaml b/.github/actions/prepare-jmeter/action.yaml index e3d30af1a..0d12b1e36 100644 --- a/.github/actions/prepare-jmeter/action.yaml +++ b/.github/actions/prepare-jmeter/action.yaml @@ -8,7 +8,7 @@ inputs: runs: using: composite steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: emqx-docker path: /tmp @@ -19,19 +19,19 @@ runs: run: | EMQX_DOCKER_IMAGE_TAG=$(docker load < /tmp/emqx-docker-${PKG_VSN}.tar.gz | sed 's/Loaded image: //g') echo "_EMQX_DOCKER_IMAGE_TAG=$EMQX_DOCKER_IMAGE_TAG" >> $GITHUB_ENV - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: emqx/emqx-fvt ref: broker-autotest-v5 path: scripts - - uses: actions/setup-java@v3 + - uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0 with: java-version: '8.0.282' # The JDK version to make available on the path. java-package: jdk # (jre, jdk, or jdk+fx) - defaults to jdk architecture: x64 # (x64 or x86) - defaults to x64 # https://github.com/actions/setup-java/blob/main/docs/switching-to-v2.md distribution: 'zulu' - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: apache-jmeter.tgz - name: install jmeter diff --git a/scripts/bump-actions-versions.sh b/scripts/bump-actions-versions.sh index 61731fe2b..1e65d4938 100755 --- a/scripts/bump-actions-versions.sh +++ b/scripts/bump-actions-versions.sh @@ -2,7 +2,7 @@ set -euo pipefail -actions=( 'actions/checkout' 'actions/cache' 'actions/stale' 'actions/upload-artifact' 'actions/download-artifact' 'aws-actions/configure-aws-credentials' 'ossf/scorecard-action' 'erlef/setup-beam' 'slackapi/slack-github-action' 'hashicorp/setup-terraform' 'docker/login-action' 'docker/setup-buildx-action' 'docker/setup-qemu-action' ) +actions=( 'actions/checkout' 'actions/cache' 'actions/stale' 'actions/upload-artifact' 'actions/download-artifact' 'aws-actions/configure-aws-credentials' 'ossf/scorecard-action' 'erlef/setup-beam' 'slackapi/slack-github-action' 'hashicorp/setup-terraform' 'docker/login-action' 'docker/setup-buildx-action' 'docker/setup-qemu-action' 'actions/setup-java' ) for a in "${actions[@]}"; do # shellcheck disable=SC2086 TAG=$(curl -sSfL -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/repos/$a/releases/latest | jq -r '.tag_name') @@ -17,5 +17,7 @@ for a in "${actions[@]}"; do fi echo "Bumping $a to $TAG ($COMMIT_SHA)" sed -i.bak -e "s|uses: $a.*$|uses: $a@$COMMIT_SHA # $TAG|g" .github/workflows/*.yaml + sed -i.bak -e "s|uses: $a.*$|uses: $a@$COMMIT_SHA # $TAG|g" .github/actions/*/*.yaml rm .github/workflows/*.bak + rm .github/actions/*/*.bak done From f65ab9b48c40ce6cdda0f484401ddb8f05a31922 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Thu, 11 Jan 2024 12:57:47 +0100 Subject: [PATCH 5/6] ci: fix actions/upload-artifact v4 compatibility --- .github/workflows/build_packages.yaml | 8 +++++--- .github/workflows/build_slim_packages.yaml | 5 +++-- .github/workflows/run_conf_tests.yaml | 2 +- .github/workflows/run_jmeter_tests.yaml | 10 +++++----- .github/workflows/run_relup_tests.yaml | 6 +++--- .github/workflows/run_test_cases.yaml | 11 +++++++---- .github/workflows/spellcheck.yaml | 6 +++--- 7 files changed, 27 insertions(+), 21 deletions(-) diff --git a/.github/workflows/build_packages.yaml b/.github/workflows/build_packages.yaml index fad200a93..92926e924 100644 --- a/.github/workflows/build_packages.yaml +++ b/.github/workflows/build_packages.yaml @@ -99,9 +99,10 @@ jobs: - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: success() with: - name: ${{ matrix.profile }} + name: ${{ matrix.profile }}-${{ matrix.otp }}-${{ matrix.os }} path: _packages/${{ matrix.profile }}/ retention-days: 7 + compression-level: 0 linux: runs-on: [self-hosted, ephemeral, linux, "${{ matrix.arch }}"] @@ -195,9 +196,10 @@ jobs: fi - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: - name: ${{ matrix.profile }} + name: ${{ matrix.profile }}-${{ matrix.otp }}-${{ matrix.arch }}-${{ matrix.os }}-${{ matrix.with_elixir == 'yes' && 'elixir' || 'erlang' }} path: _packages/${{ matrix.profile }}/ retention-days: 7 + compression-level: 0 publish_artifacts: runs-on: ubuntu-latest @@ -213,7 +215,7 @@ jobs: steps: - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: - name: ${{ matrix.profile }} + pattern: ${{ matrix.profile }}-* path: packages/${{ matrix.profile }} - name: install dos2unix run: sudo apt-get update -y && sudo apt install -y dos2unix diff --git a/.github/workflows/build_slim_packages.yaml b/.github/workflows/build_slim_packages.yaml index bce20191b..4b9ca76b9 100644 --- a/.github/workflows/build_slim_packages.yaml +++ b/.github/workflows/build_slim_packages.yaml @@ -90,12 +90,13 @@ jobs: ./scripts/pkg-tests.sh ${EMQX_NAME}-elixir-pkg - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: - name: "${{ matrix.profile[0] }}-${{ matrix.profile[1] }}-${{ matrix.profile[2] }}" + name: "${{ matrix.profile[0] }}-${{ matrix.profile[1] }}-${{ matrix.profile[2] }}-${{ matrix.profile[3] }}-${{ matrix.profile[4] }}" path: _packages/${{ matrix.profile[0] }}/* retention-days: 7 + compression-level: 0 - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: - name: "${{ matrix.profile[0] }}_schema_dump" + name: "${{ matrix.profile[0] }}-schema-dump-${{ matrix.profile[1] }}-${{ matrix.profile[2] }}-${{ matrix.profile[3] }}-${{ matrix.profile[4] }}" path: | scripts/spellcheck _build/docgen/${{ matrix.profile[0] }}/schema-en.json diff --git a/.github/workflows/run_conf_tests.yaml b/.github/workflows/run_conf_tests.yaml index 5580ad520..cac63910b 100644 --- a/.github/workflows/run_conf_tests.yaml +++ b/.github/workflows/run_conf_tests.yaml @@ -43,6 +43,6 @@ jobs: - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: failure() with: - name: logs-${{ matrix.profile }} + name: conftest-logs-${{ matrix.profile }} path: _build/${{ matrix.profile }}/rel/emqx/logs retention-days: 7 diff --git a/.github/workflows/run_jmeter_tests.yaml b/.github/workflows/run_jmeter_tests.yaml index e46a0b98e..86cbf220f 100644 --- a/.github/workflows/run_jmeter_tests.yaml +++ b/.github/workflows/run_jmeter_tests.yaml @@ -89,7 +89,7 @@ jobs: - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: always() with: - name: jmeter_logs + name: jmeter_logs-advanced_feat-${{ matrix.scripts_type }} path: ./jmeter_logs retention-days: 3 @@ -156,7 +156,7 @@ jobs: - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: always() with: - name: jmeter_logs + name: jmeter_logs-pgsql_authn_authz-${{ matrix.scripts_type }}_${{ matrix.pgsql_tag }} path: ./jmeter_logs retention-days: 3 @@ -216,7 +216,7 @@ jobs: - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: always() with: - name: jmeter_logs + name: jmeter_logs-mysql_authn_authz-${{ matrix.scripts_type }}_${{ matrix.mysql_tag }} path: ./jmeter_logs retention-days: 3 @@ -268,7 +268,7 @@ jobs: - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: always() with: - name: jmeter_logs + name: jmeter_logs-JWT_authn-${{ matrix.scripts_type }} path: ./jmeter_logs retention-days: 3 @@ -312,6 +312,6 @@ jobs: - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: always() with: - name: jmeter_logs + name: jmeter_logs-built_in_database_authn_authz-${{ matrix.scripts_type }} path: ./jmeter_logs retention-days: 3 diff --git a/.github/workflows/run_relup_tests.yaml b/.github/workflows/run_relup_tests.yaml index a93cee416..db8cef69d 100644 --- a/.github/workflows/run_relup_tests.yaml +++ b/.github/workflows/run_relup_tests.yaml @@ -48,7 +48,7 @@ jobs: - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 name: Upload built emqx and test scenario with: - name: emqx_built + name: relup_tests_emqx_built path: | _upgrade_base _packages @@ -91,7 +91,7 @@ jobs: - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 name: Download built emqx and test scenario with: - name: emqx_built + name: relup_tests_emqx_built path: . - name: run relup test run: | @@ -115,7 +115,7 @@ jobs: name: Save debug data if: failure() with: - name: debug_data + name: relup_test_run_debug_data path: | lux_logs retention-days: 3 diff --git a/.github/workflows/run_test_cases.yaml b/.github/workflows/run_test_cases.yaml index 0df6fa0f0..8841c845b 100644 --- a/.github/workflows/run_test_cases.yaml +++ b/.github/workflows/run_test_cases.yaml @@ -66,7 +66,7 @@ jobs: - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: - name: coverdata + name: coverdata-${{ matrix.profile }}-${{ matrix.otp }} path: _build/test/cover retention-days: 7 @@ -110,7 +110,7 @@ jobs: run: ./scripts/ct/run.sh --ci --app ${{ matrix.app }} - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: - name: coverdata + name: coverdata-${{ matrix.profile }}-${{ matrix.prefix }}-${{ matrix.otp }}-sg${{ matrix.suitegroup }} path: _build/test/cover retention-days: 7 - name: compress logs @@ -121,6 +121,7 @@ jobs: with: name: logs-${{ matrix.profile }}-${{ matrix.prefix }}-${{ matrix.otp }}-sg${{ matrix.suitegroup }} path: logs.tar.gz + compression-level: 0 retention-days: 7 ct: @@ -156,7 +157,7 @@ jobs: make "${{ matrix.app }}-ct" - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: - name: coverdata + name: coverdata-${{ matrix.profile }}-${{ matrix.prefix }}-${{ matrix.otp }}-sg${{ matrix.suitegroup }} path: _build/test/cover if-no-files-found: warn # do not fail if no coverdata found retention-days: 7 @@ -168,6 +169,7 @@ jobs: with: name: logs-${{ matrix.profile }}-${{ matrix.prefix }}-${{ matrix.otp }}-sg${{ matrix.suitegroup }} path: logs.tar.gz + compression-level: 0 retention-days: 7 tests_passed: @@ -205,8 +207,9 @@ jobs: - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 name: download coverdata with: - name: coverdata + pattern: coverdata-${{ matrix.profile }}-* path: _build/test/cover + merge-multiple: true - name: make cover env: diff --git a/.github/workflows/spellcheck.yaml b/.github/workflows/spellcheck.yaml index e03a89c50..0517cad41 100644 --- a/.github/workflows/spellcheck.yaml +++ b/.github/workflows/spellcheck.yaml @@ -21,8 +21,8 @@ jobs: steps: - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: - name: "${{ matrix.profile }}_schema_dump" - path: /tmp/ + pattern: "${{ matrix.profile }}-schema-dump-*-x64" + merge-multiple: true - name: Run spellcheck run: | - bash /tmp/scripts/spellcheck/spellcheck.sh /tmp/_build/docgen/${{ matrix.profile }}/schema-en.json + bash scripts/spellcheck/spellcheck.sh _build/docgen/${{ matrix.profile }}/schema-en.json From beb70265a6414904fae576c04c7ab143d69a70c6 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Thu, 11 Jan 2024 17:54:42 +0100 Subject: [PATCH 6/6] ci: downgrade actions/checkout and actions/upload-artifact version in build_packages Starting from v4.0.0 actions/checkout has been using node20 runtime. On Amazon Linux 2, EL7 and Ubuntu 18.04 GLIBC it's too old for node to run: /__e/node20/bin/node: /lib64/libm.so.6: version `GLIBC_2.27' not found (required by /__e/node20/bin/node) /__e/node20/bin/node: /lib64/libc.so.6: version `GLIBC_2.28' not found (required by /__e/node20/bin/node) --- .github/workflows/build_packages.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build_packages.yaml b/.github/workflows/build_packages.yaml index 92926e924..a5c5c9343 100644 --- a/.github/workflows/build_packages.yaml +++ b/.github/workflows/build_packages.yaml @@ -153,7 +153,7 @@ jobs: shell: bash steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: ref: ${{ github.event.inputs.ref }} fetch-depth: 0 @@ -194,12 +194,11 @@ jobs: ./scripts/pkg-tests.sh "${PROFILE}-tgz" ./scripts/pkg-tests.sh "${PROFILE}-pkg" fi - - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: ${{ matrix.profile }}-${{ matrix.otp }}-${{ matrix.arch }}-${{ matrix.os }}-${{ matrix.with_elixir == 'yes' && 'elixir' || 'erlang' }} path: _packages/${{ matrix.profile }}/ retention-days: 7 - compression-level: 0 publish_artifacts: runs-on: ubuntu-latest