Skip to content

ci: improvements #1254

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed

ci: improvements #1254

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d63f435
add generate rule
calebdoxsey Oct 17, 2025
10f2337
add reusable-build
calebdoxsey Oct 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions .github/workflows/build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
name: Build

permissions:
contents: read

on:
push:
branches:
- main
pull_request:

jobs:
build:
if: ${{ github.actor != 'dependabot[bot]' }}
name: Build
uses: ./.github/workflows/reusable-build.yaml
with:
ref: ${{ github.head_ref }}
30 changes: 0 additions & 30 deletions .github/workflows/lint.yml
View file
Open in desktop

This file was deleted.

105 changes: 105 additions & 0 deletions .github/workflows/reusable-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
name: Build

on:
workflow_call:
inputs:
ref:
required: true
type: string

jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
ref: ${{ inputs.ref }}

- name: Setup Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00
with:
go-version: 1.24.x

- name: Build
run: make build

lint:
Comment on lines +12 to +28

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 23 days ago

To fix this problem, we should add a permissions block to the workflow file. The safest and simplest way is to apply the permissions block at the workflow root, which sets the minimal permissions for all jobs unless overridden per job. Since none of the jobs require write access to repository contents or other resources, the recommended minimal permissions are contents: read. This restricts GITHUB_TOKEN to only read repository contents, which suffices for actions like actions/checkout and is inline with least privilege. The change should be made right after the name: and on: blocks, before the jobs: block. No further changes, methods, or imports are needed beyond this YAML addition.

Suggested changeset 1
.github/workflows/reusable-build.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/reusable-build.yaml b/.github/workflows/reusable-build.yaml
--- a/.github/workflows/reusable-build.yaml
+++ b/.github/workflows/reusable-build.yaml
@@ -1,5 +1,8 @@
 name: Build
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
EOF
@@ -1,5 +1,8 @@
name: Build

permissions:
contents: read

on:
workflow_call:
inputs:
Copilot is powered by AI and may make mistakes. Always verify output.
name: Lint
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
fetch-depth: 0
ref: ${{ inputs.ref }}

- name: Setup Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00
with:
go-version: 1.24.x
cache: false

- run: make envoy
- run: make pomerium-ui

- name: Run golangci-lint
uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84
with:
version: v1.64.8
args: --timeout=10m

pre-commit:
Comment on lines +29 to +53

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 23 days ago

To fix the issue, add a permissions block to the workflow file to explicitly restrict the GITHUB_TOKEN. The minimal secure default is permissions: contents: read either at the workflow root (applies to all jobs unless overridden) or for each job as needed. Since none of these jobs appear to need write permissions (they only check out code, build, lint, and run tests), setting the root-level permissions is sufficient and robust. The change should be made at the top level, after the name: and before on:, to ensure all jobs inherit the least privilege possible.

No method changes or additional imports are required—just the addition of a new YAML key.

Suggested changeset 1
.github/workflows/reusable-build.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/reusable-build.yaml b/.github/workflows/reusable-build.yaml
--- a/.github/workflows/reusable-build.yaml
+++ b/.github/workflows/reusable-build.yaml
@@ -1,4 +1,6 @@
 name: Build
+permissions:
+  contents: read
 
 on:
   workflow_call:
EOF
@@ -1,4 +1,6 @@
name: Build
permissions:
contents: read

on:
workflow_call:
Copilot is powered by AI and may make mistakes. Always verify output.
name: Pre-Commit
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
fetch-depth: 0
ref: ${{ inputs.ref }}

- name: Setup Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00
with:
go-version: 1.24.x

- name: Setup Python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c
with:
python-version: "3.x"

- name: Install Kustomize
run: make kustomize

- name: Pre-Commit
uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd
with:
extra_args: --show-diff-on-failure --from-ref ${{
github.event.pull_request.base.sha }} --to-ref ${{
github.event.pull_request.head.sha }}
env:
SKIP: go-mod-tidy,lint

test:
Comment on lines +54 to +85

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 23 days ago

The best way to fix the problem is to explicitly add a permissions block to restrict the default permissions of the GITHUB_TOKEN for the affected job(s). In this case, we should add permissions: { contents: read } to the pre-commit job in the reusable-build.yaml workflow (directly beneath the name / runs-on keys for that job). This ensures the job only has read access to repository contents, which is sufficient for checkout and running pre-commit checks. No code needs to be changed elsewhere and functionality will not be affected since none of the steps write to the repository or require elevated privileges.

Suggested changeset 1
.github/workflows/reusable-build.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/reusable-build.yaml b/.github/workflows/reusable-build.yaml
--- a/.github/workflows/reusable-build.yaml
+++ b/.github/workflows/reusable-build.yaml
@@ -53,6 +53,8 @@
   pre-commit:
     name: Pre-Commit
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
EOF
@@ -53,6 +53,8 @@
pre-commit:
name: Pre-Commit
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
Copilot is powered by AI and may make mistakes. Always verify output.
name: Test
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
fetch-depth: 0
ref: ${{ inputs.ref }}

- name: Setup Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00
with:
go-version: 1.24.x

- name: set env vars
run: echo "$(go env GOPATH)/bin" >> $GITHUB_PATH

- name: Test
if: runner.os == 'Linux'
run: make test
Comment on lines +86 to +105

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 23 days ago

To fix the problem, add an explicit permissions block at the root of the workflow YAML file. Specify contents: read as the minimal required permission for these jobs, since none of them appear to need write access or elevated privileges. This change should be made at the top level of .github/workflows/reusable-build.yaml, ideally just after the name: and before the on: block, to set the default for all jobs. No changes to existing functionality or step logic are needed, and no imports or external references are required.

Suggested changeset 1
.github/workflows/reusable-build.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/reusable-build.yaml b/.github/workflows/reusable-build.yaml
--- a/.github/workflows/reusable-build.yaml
+++ b/.github/workflows/reusable-build.yaml
@@ -1,4 +1,6 @@
 name: Build
+permissions:
+  contents: read
 
 on:
   workflow_call:
EOF
@@ -1,4 +1,6 @@
name: Build
permissions:
contents: read

on:
workflow_call:
Copilot is powered by AI and may make mistakes. Always verify output.
62 changes: 0 additions & 62 deletions .github/workflows/test.yaml
View file
Open in desktop

This file was deleted.

5 changes: 4 additions & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ test: envoy generated pomerium-ui
.PHONY: lint
lint: envoy pomerium-ui
@echo "==> $@"
@VERSION=$$(go run github.com/mikefarah/yq/[email protected] '.jobs.lint.steps[] | select(.uses == "golangci/golangci-lint-action*") | .with.version' .github/workflows/lint.yml) && \
@VERSION=$$(go run github.com/mikefarah/yq/[email protected] '.jobs.lint.steps[] | select(.uses == "golangci/golangci-lint-action*") | .with.version' .github/workflows/reusable-build.yaml) && \
go run github.com/golangci/golangci-lint/cmd/golangci-lint@$$VERSION run --fix ./...

##@ Build
Expand Down Expand Up @@ -212,6 +212,9 @@ docs: generated
@echo "==> $@"
@go run docs/cmd/main.go > reference.md

.PHONY: generate
generate: deployment docs

#
# --- internal development targets
#
Expand Down
2 changes: 1 addition & 1 deletion docs/cmd/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ func generateMarkdown(w io.Writer) error {
return fmt.Errorf("parsing %s: %w", key, err)
}

fmt.Fprintf(w, "## %s\n", strcase.ToCamel(key))
fmt.Fprintf(w, "\n## %s\n", strcase.ToCamel(key))
if err := tmpl.ExecuteTemplate(w, "object", objects[key]); err != nil {
return fmt.Errorf("exec template: %w", err)
}
Expand Down
3 changes: 2 additions & 1 deletion docs/templates/header.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{define "header"}}---
{{define "header" -}}
---
title: Kubernetes Deployment Reference
sidebar_label: Reference
description: Reference for Pomerium settings in Kubernetes deployments.
Expand Down
32 changes: 19 additions & 13 deletions docs/templates/object-properties.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,38 +1,44 @@
{{define "object-properties"}}{{if .}}
{{- define "object-properties"}}
{{- if .}}
<table>
<thead>
</thead>
<tbody>
{{range .}}
{{- range .}}
<tr>
<td>
<p>
<code>{{.ID}}</code>&#160;&#160;
{{if .ObjectRef}}
{{- if .ObjectRef}}
<strong>object</strong>&#160;
(<a href="#{{.ObjectRef | anchor}}">{{.ObjectRef}}</a>)
{{else if and .Atomic .Atomic.ExplainFormat}}
{{- else if and .Atomic .Atomic.ExplainFormat}}
<strong>{{.Atomic.Type}}</strong>&#160;
({{.Atomic.Format}})
{{else if .Atomic}}
{{- else if .Atomic}}
<strong>{{.Atomic.Type}}</strong>&#160;
{{else if .Map.Atomic}}
{{- else if .Map.Atomic}}
<strong>map[string]{{.Map.Atomic.Type}}</strong>
{{else if .Map.ObjectRef}}
{{- else if .Map.ObjectRef}}
<strong>map[string]</strong>
<a href="#{{.Map.ObjectRef | anchor}}">{{.Map.ObjectRef}}</a>
{{end}}
{{- end}}
</p>
<p>
{{if .Required}}<strong>Required.</strong>&#160;{{end}}
{{- if .Required}}
<strong>Required.</strong>&#160;
{{- end}}
{{- if .Description}}
{{.Description}}
{{- end}}
</p>
{{if and .Atomic .Atomic.ExplainFormat}}
{{- if and .Atomic .Atomic.ExplainFormat}}
Format: {{.Atomic.ExplainFormat}}
{{end}}
{{- end}}
</td>
</tr>
{{end}}
{{- end}}
</tbody>
</table>
{{end}}{{end}}
{{- end}}
{{- end}}
2 changes: 1 addition & 1 deletion docs/templates/object.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{define "object"}}
{{.Description}}
{{template "object-properties" .Properties}}
{{end}}
{{- end}}
4 changes: 2 additions & 2 deletions docs/templates/objects.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{{define "objects"}}
{{- define "objects" }}
{{range .}}
### `{{.ID}}`
{{template "object" .}}
{{end}}
{{end}}
{{- end}}
1 change: 1 addition & 0 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ require (
github.com/iancoleman/strcase v0.3.0
github.com/martinlindhe/base36 v1.1.1
github.com/open-policy-agent/opa v1.9.0
github.com/pomerium/csrf v1.7.0
github.com/pomerium/pomerium v0.28.1-0.20251010012545-df8c257314b1
github.com/rs/zerolog v1.34.0
github.com/sergi/go-diff v1.4.0
Expand Down
3 changes: 3 additions & 0 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -465,6 +465,7 @@ github.com/googleapis/gax-go/v2 v2.15.0 h1:SyjDc1mGgZU5LncH8gimWo9lW1DtIfPibOG81
github.com/googleapis/gax-go/v2 v2.15.0/go.mod h1:zVVkkxAQHa1RQpg9z2AUCMnKhi0Qld9rcmyfL1OZhoc=
github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
Expand Down Expand Up @@ -689,6 +690,8 @@ github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pomerium/csrf v1.7.0 h1:Qp4t6oyEod3svQtKfJZs589mdUTWKVf7q0PgCKYCshY=
github.com/pomerium/csrf v1.7.0/go.mod h1:hAPZV47mEj2T9xFs+ysbum4l7SF1IdrryYaY6PdoIqw=
github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524 h1:3YQY1sb54tEEbr0L73rjHkpLB0IB6qh3zl1+XQbMLis=
github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524/go.mod h1:7fGbUYJnU8RcxZJvUvhukOIBv1G7LWDAHMfDxAf5+Y0=
github.com/pomerium/envoy-custom v1.35.3-rc3 h1:9K4+Wc5bGbFfqTi+hB1zYj3fRUVokEXg8KjZWuUVtes=
Expand Down
Loading
Loading