From 19e3a98199a81ea13f3f8e2df5240bd110901f1b Mon Sep 17 00:00:00 2001 From: Nikola Irinchev Date: Wed, 27 Nov 2024 02:00:58 +0100 Subject: [PATCH 1/3] chore(ci): use github app for tokens --- .../authors-and-third-party-notices.yaml | 13 +----- .github/workflows/bump-packages.yaml | 35 +++++++--------- .github/workflows/merge-bump-packages-pr.yaml | 11 +++-- .github/workflows/update-electron.yaml | 42 +++++++++---------- CONTRIBUTING.md | 2 +- 5 files changed, 45 insertions(+), 58 deletions(-) diff --git a/.github/workflows/authors-and-third-party-notices.yaml b/.github/workflows/authors-and-third-party-notices.yaml index c915399f7ae..683cb19cf8d 100644 --- a/.github/workflows/authors-and-third-party-notices.yaml +++ b/.github/workflows/authors-and-third-party-notices.yaml @@ -16,18 +16,12 @@ jobs: HADRON_DISTRIBUTION: compass steps: - name: Create Github App Token - uses: actions/create-github-app-token@v1 + uses: mongodb-js/devtools-shared/actions/setup-bot-token@ni/github-app-action id: app-token with: app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }} private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }} - - name: Get GitHub App User ID - id: get-user-id - run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" - env: - GH_TOKEN: ${{ steps.app-token.outputs.token }} - - uses: actions/checkout@v4 with: # don't checkout a detatched HEAD @@ -38,11 +32,6 @@ jobs: fetch-depth: "0" token: ${{ steps.app-token.outputs.token }} - - name: Set up Git - run: | - git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]' - git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>' - - uses: actions/setup-node@v4 with: node-version: 20.16.0 diff --git a/.github/workflows/bump-packages.yaml b/.github/workflows/bump-packages.yaml index 87d62542842..c4b4b665f73 100644 --- a/.github/workflows/bump-packages.yaml +++ b/.github/workflows/bump-packages.yaml @@ -10,24 +10,22 @@ jobs: name: Bump packages runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: Create Github App Token + uses: mongodb-js/devtools-shared/actions/setup-bot-token@ni/github-app-action + id: app-token + with: + app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }} + private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }} + + - uses: actions/checkout@v4 with: # don't checkout a detatched HEAD ref: ${{ github.head_ref }} - # this is important so git log can pick up on - # the whole history to generate the list of AUTHORS - fetch-depth: '0' - - - name: Setup git - run: | - git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" - git config --local user.name "github-actions[bot]" - - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: node-version: 20.16.0 - cache: 'npm' + cache: "npm" - name: Install npm@10.2.4 run: | @@ -40,21 +38,20 @@ jobs: - name: Bump packages env: - LAST_BUMP_COMMIT_MESSAGE: 'chore(release): bump package versions' - SKIP_BUMP_PACKAGES: 'mongodb-compass' + LAST_BUMP_COMMIT_MESSAGE: "chore(release): bump package versions" + SKIP_BUMP_PACKAGES: "mongodb-compass" run: | npm run bump-packages git add . git commit --no-allow-empty -m "$LAST_BUMP_COMMIT_MESSAGE" || true - name: Create Pull Request - id: cpr - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # 7.0.5 with: - token: ${{ secrets.SVC_DEVTOOLSBOT_TOKEN }} - commit-message: 'chore(release): bump package versions' + token: ${{ steps.app-token.outputs.token }} + commit-message: "chore(release): bump package versions" branch: ci/bump-packages - title: 'chore(release): bump package versions' + title: "chore(release): bump package versions" labels: no-title-validation body: | - Bump package versions diff --git a/.github/workflows/merge-bump-packages-pr.yaml b/.github/workflows/merge-bump-packages-pr.yaml index 843b2d17f94..2ec34e9dfe7 100644 --- a/.github/workflows/merge-bump-packages-pr.yaml +++ b/.github/workflows/merge-bump-packages-pr.yaml @@ -3,18 +3,23 @@ on: workflow_dispatch: schedule: # Each Tuesday at 5 AM UTC - - cron: '0 5 * * 2' + - cron: "0 5 * * 2" jobs: merge_bump_packages_pr: name: Merge bump packages PR runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: Create Github App Token + uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }} + private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }} - name: Merge PR env: - GITHUB_TOKEN: ${{ secrets.SVC_DEVTOOLSBOT_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} run: | set -e PR_NUMBER=$(gh pr list -s open --head=ci/bump-packages --limit=1 --json number | jq '.[0].number') diff --git a/.github/workflows/update-electron.yaml b/.github/workflows/update-electron.yaml index 89d25c81b62..cd967c684da 100644 --- a/.github/workflows/update-electron.yaml +++ b/.github/workflows/update-electron.yaml @@ -11,44 +11,40 @@ jobs: name: Update Electron runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: Create Github App Token + uses: mongodb-js/devtools-shared/actions/setup-bot-token@ni/github-app-action + id: app-token + with: + app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }} + private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }} + + - uses: actions/checkout@v4 with: # don't checkout a detatched HEAD ref: ${{ github.head_ref }} - # this is important so git log can pick up on - # the whole history to generate the list of AUTHORS - fetch-depth: '0' - - - name: Setup git - run: | - git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" - git config --local user.name "github-actions[bot]" - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: node-version: 20.16.0 - cache: 'npm' + cache: "npm" - name: Install npm@10.2.4 run: | npm install -g npm@10.2.4 + - name: Install Dependencies - run: | - npm -v - npm ci + run: npm ci + - name: Bump packages - run: | - node scripts/update-electron.js - git add . - git commit --no-allow-empty -m "chore(deps): update electron" || true + run: node scripts/update-electron.js + - name: Create Pull Request - id: cpr - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # 7.0.5 with: - token: ${{ secrets.SVC_DEVTOOLSBOT_TOKEN }} - commit-message: 'chore(deps): update electron' + token: ${{ steps.app-token.outputs.token }} + commit-message: "chore(deps): update electron" branch: ci/update-electron - title: 'chore(deps): update electron' + title: "chore(deps): update electron" labels: no-title-validation body: | - Update electron diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index a8ecdf711c9..f005b5f5c75 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -97,7 +97,7 @@ In particular each change to the `main` branch is analyzed to calculate a new ve Merging that PR will trigger another CI job that will publish to NPM any package which version is not yet present on the registry. -The version of packages is calculated following conventional bumps: See https://github.com/mongodb-js/devtools-shared/tree/main/packages/bump-monorepo-packages for details. +The version of packages is calculated following conventional bumps: See https://github.com/mongodb-js/devtools-shared/tree/main/packages/monorepo-tools for details. ## Add / Update / Remove Dependencies in Packages From 5fd7bd8e85f8180003b6baa86e6d7184d476df10 Mon Sep 17 00:00:00 2001 From: Nikola Irinchev Date: Wed, 27 Nov 2024 13:52:41 +0100 Subject: [PATCH 2/3] Use @main --- .github/workflows/authors-and-third-party-notices.yaml | 2 +- .github/workflows/bump-packages.yaml | 2 +- .github/workflows/merge-bump-packages-pr.yaml | 2 +- .github/workflows/update-electron.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/authors-and-third-party-notices.yaml b/.github/workflows/authors-and-third-party-notices.yaml index 683cb19cf8d..27ad2b1bf0f 100644 --- a/.github/workflows/authors-and-third-party-notices.yaml +++ b/.github/workflows/authors-and-third-party-notices.yaml @@ -16,7 +16,7 @@ jobs: HADRON_DISTRIBUTION: compass steps: - name: Create Github App Token - uses: mongodb-js/devtools-shared/actions/setup-bot-token@ni/github-app-action + uses: mongodb-js/devtools-shared/actions/setup-bot-token@main id: app-token with: app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }} diff --git a/.github/workflows/bump-packages.yaml b/.github/workflows/bump-packages.yaml index c4b4b665f73..a98adf2ef7b 100644 --- a/.github/workflows/bump-packages.yaml +++ b/.github/workflows/bump-packages.yaml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Create Github App Token - uses: mongodb-js/devtools-shared/actions/setup-bot-token@ni/github-app-action + uses: mongodb-js/devtools-shared/actions/setup-bot-token@main id: app-token with: app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }} diff --git a/.github/workflows/merge-bump-packages-pr.yaml b/.github/workflows/merge-bump-packages-pr.yaml index 2ec34e9dfe7..bf14b6db1df 100644 --- a/.github/workflows/merge-bump-packages-pr.yaml +++ b/.github/workflows/merge-bump-packages-pr.yaml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Create Github App Token - uses: actions/create-github-app-token@v1 + uses: mongodb-js/devtools-shared/actions/setup-bot-token@main id: app-token with: app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }} diff --git a/.github/workflows/update-electron.yaml b/.github/workflows/update-electron.yaml index cd967c684da..a127ddd0b20 100644 --- a/.github/workflows/update-electron.yaml +++ b/.github/workflows/update-electron.yaml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Create Github App Token - uses: mongodb-js/devtools-shared/actions/setup-bot-token@ni/github-app-action + uses: mongodb-js/devtools-shared/actions/setup-bot-token@main id: app-token with: app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }} From ea854e8b7bcaf71729a5118e7f6c776149af0d98 Mon Sep 17 00:00:00 2001 From: Nikola Irinchev Date: Wed, 27 Nov 2024 16:13:34 +0100 Subject: [PATCH 3/3] Update contributing.md --- CONTRIBUTING.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index f005b5f5c75..efbb0c7f451 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -115,6 +115,14 @@ npm run create-workspace [workspace name] This will do all the initial workspace bootstrapping for you, ensuring that your package has all the standard configs set up and ready, and all the npm scripts aligned with other packages in the monorepo, which is important to get the most out of all the provided helpers in this repository (like `npm run check-changed` commands or to make sure that your tests will not immediately fail in CI because of the test timeout being too small) +## Using Github Actions + +Github actions offers an easy way to create workflows that run various automated checks. While our main CI system is Evergreen, we have a number of auxiliary workflows configured to run using github actions. While adding new workflows or updating existing ones, it's important that we follow [the security hardening guidelines](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions) by Github. Those can change over time, so be sure to periodically review them to make sure we're not using insecure workflows. Some notable highlights to pay special attention to are: +1. Avoid using tag or branch refs for untrusted 3rd party actions. Those can easily be recreated by malicious actors and introduce supply chain attacks. As a rule of thumb, first party actions are considered actions by MongoDB, Github, Microsoft, or the primary maintainer of a particular ecosystem - e.g. Amazon for AWS. When using a 3rd party action, always use the full git commit sha as the ref to checkout. +2. Be extra vigilant when using user-supplied data, such as branch name or PR title in scripts as that opens up the possibility of script injection attacks. Instead, prefer to use js actions to achieve the same result or sanitize the input before using it in a script. +3. Never commit secrets in the workflow file directly - instead use github secrets to store them securely at the repo/org level. +4. Avoid using repo-level secrets that grant access to deployment/publishing resources. Instead prefer to store these as environment secrets and ensure the correct environments protections are in place. + ## Caveats ### `hdiutil: couldn't unmount "diskn" - Resource busy` or Similar `hdiutil` Errors