Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Epic: Audit GHA for compliance with SUSE policies #6982

Open
5 of 8 tasks
jandubois opened this issue Jun 3, 2024 · 2 comments
Open
5 of 8 tasks

Epic: Audit GHA for compliance with SUSE policies #6982

jandubois opened this issue Jun 3, 2024 · 2 comments
Labels
component/ci Stories tied to CI for automation kind/epic Umbrella-bug for a group of related issues
Milestone
1.15

Comments

@jandubois
Copy link
Member

jandubois commented Jun 3, 2024
edited
Loading

Actions that need to be replaced (or their workflows disabled):
@jandubois jandubois added kind/quality quality improvements, refactoring, Automation via CI, E2E, Integration, CLI or REST API component/ci Stories tied to CI for automation labels Jun 3, 2024
@jandubois jandubois added this to the 1.15 milestone Jun 3, 2024
@jandubois jandubois self-assigned this Jun 3, 2024
@jandubois
Copy link
Member Author

jandubois commented Jun 3, 2024
edited
Loading

I've used the following script to audit our use of GitHub actions. It ignores repos that have disabled all actions:

#!/usr/bin/env bash

set -o errexit -o nounset

tempdir=$(mktemp -d -t repos) || exit 1
pushd "$tempdir" >/dev/null

for repo in $(gh api /orgs/rancher-sandbox/teams/rancher-desktop/repos --jq '.[].full_name'); do
    enabled=$(gh api "/repos/${repo}/actions/permissions" --jq '.enabled')
    if [[ $enabled == true ]]; then
        echo "$repo"
        git clone --quiet "[email protected]:${repo}"
    else
        echo "${repo} [DISABLED]"
    fi
done

perl <(cat <<'EOF'
use v5.20;
my %action;
while (<>) {
  my($repo) = $ARGV =~ m#^(?:\./)?([^/]+)#;
  next unless /^\s*-?\s*uses:\s+([^@\n]+)/;
  $action{$1}{$repo}++;
}
for my $action (sort keys %action) {
  say "\n$action";
  say "    $_" for sort keys %{$action{$action}};
}
EOF
) ./**/.github/workflows/*

popd >/dev/null
rm -rf "${tempdir:?}"

The output right now is

$ ./gha.sh
rancher-sandbox/alpine-lima
rancher-sandbox/bats-assert [DISABLED]
rancher-sandbox/bats-core [DISABLED]
rancher-sandbox/bats-file [DISABLED]
rancher-sandbox/bats-support [DISABLED]
rancher-sandbox/boot2tcl [DISABLED]
rancher-sandbox/cri-dockerd [DISABLED]
rancher-sandbox/dashboard
rancher-sandbox/docker-machine-driver-hyperkit [DISABLED]
rancher-sandbox/docs.rancherdesktop.io
rancher-sandbox/epinio-desktop-extension
rancher-sandbox/lima [DISABLED]
rancher-sandbox/lima-and-qemu
rancher-sandbox/moproxy
rancher-sandbox/ngx_http_proxy_connect_module
rancher-sandbox/openresty-packaging
rancher-sandbox/rancher-desktop
rancher-sandbox/rancher-desktop-agent
rancher-sandbox/rancher-desktop-docker-cli
rancher-sandbox/rancher-desktop-goproxy
rancher-sandbox/rancher-desktop-host-resolver
rancher-sandbox/rancher-desktop-lima
rancher-sandbox/rancher-desktop-networking
rancher-sandbox/rancher-desktop-steve
rancher-sandbox/rancher-desktop-upgrade-responder
rancher-sandbox/rancher-desktop-wsl-distro
rancher-sandbox/rancherdesktop.io

./.github/actions/setup-environment
    rancher-desktop

./.github/workflows/paths-ignore.yaml
    rancher-desktop

actions-rs/cargo
    moproxy

actions-rs/install
    moproxy

actions/checkout
    alpine-lima
    dashboard
    docs.rancherdesktop.io
    epinio-desktop-extension
    lima-and-qemu
    moproxy
    ngx_http_proxy_connect_module
    rancher-desktop
    rancher-desktop-agent
    rancher-desktop-docker-cli
    rancher-desktop-goproxy
    rancher-desktop-host-resolver
    rancher-desktop-lima
    rancher-desktop-networking
    rancher-desktop-steve
    rancher-desktop-upgrade-responder
    rancher-desktop-wsl-distro
    rancherdesktop.io

actions/create-github-app-token
    rancher-desktop-wsl-distro

actions/deploy-pages
    docs.rancherdesktop.io
    rancherdesktop.io

actions/download-artifact
    dashboard
    lima-and-qemu
    rancher-desktop
    rancher-desktop-agent
    rancher-desktop-goproxy
    rancher-desktop-lima
    rancher-desktop-networking
    rancher-desktop-wsl-distro

actions/setup-go
    lima-and-qemu
    rancher-desktop
    rancher-desktop-agent
    rancher-desktop-goproxy
    rancher-desktop-host-resolver
    rancher-desktop-lima
    rancher-desktop-networking
    rancher-desktop-steve
    rancher-desktop-upgrade-responder

actions/setup-node
    dashboard
    docs.rancherdesktop.io
    epinio-desktop-extension
    rancher-desktop
    rancherdesktop.io

actions/setup-python
    rancher-desktop

actions/upload-artifact
    dashboard
    lima-and-qemu
    rancher-desktop
    rancher-desktop-agent
    rancher-desktop-docker-cli
    rancher-desktop-goproxy
    rancher-desktop-lima
    rancher-desktop-networking
    rancher-desktop-steve
    rancher-desktop-wsl-distro

actions/upload-pages-artifact
    docs.rancherdesktop.io
    rancherdesktop.io

check-spelling/check-spelling
    rancher-desktop

codecov/codecov-action
    dashboard

docker/bake-action
    rancher-desktop-docker-cli

docker/build-push-action
    epinio-desktop-extension
    rancher-desktop
    rancher-desktop-upgrade-responder

docker/login-action
    epinio-desktop-extension
    rancher-desktop
    rancher-desktop-upgrade-responder

docker/metadata-action
    rancher-desktop

docker/setup-buildx-action
    epinio-desktop-extension
    rancher-desktop
    rancher-desktop-docker-cli

docker/setup-qemu-action
    epinio-desktop-extension
    rancher-desktop

golangci/golangci-lint-action
    rancher-desktop
    rancher-desktop-agent
    rancher-desktop-host-resolver
    rancher-desktop-networking

ncipollo/release-action
    moproxy

peaceiris/actions-gh-pages
    dashboard

prewk/s3-cp-action
    rancher-desktop

rancher-eio/read-vault-secrets
    rancher-desktop-wsl-distro

svenstaro/upload-release-action
    rancher-desktop-steve

updatecli/updatecli-action
    epinio-desktop-extension

wangyoucao577/go-release-action
    rancher-desktop-host-resolver

@jandubois
Copy link
Member Author

After checking against the current policy, I believe the following actions are problematic:

actions-rs/cargo
    moproxy

actions-rs/install
    moproxy

check-spelling/check-spelling
    rancher-desktop

ncipollo/release-action
    moproxy

peaceiris/actions-gh-pages
    dashboard

prewk/s3-cp-action
    rancher-desktop

svenstaro/upload-release-action
    rancher-desktop-steve

wangyoucao577/go-release-action
    rancher-desktop-host-resolver

@jandubois jandubois added kind/epic Umbrella-bug for a group of related issues and removed kind/quality quality improvements, refactoring, Automation via CI, E2E, Integration, CLI or REST API labels Jun 11, 2024
@jandubois jandubois changed the title Audit GHA for compliance with SUSE policies Epic: Audit GHA for compliance with SUSE policies Jun 11, 2024
@jandubois jandubois removed their assignment Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component/ci Stories tied to CI for automation kind/epic Umbrella-bug for a group of related issues
Projects
None yet
Milestone
1.15
Development

No branches or pull requests
1 participant
@jandubois