Skip to content
Draft
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 34 additions & 7 deletions .github/workflows/e2e-ginkgo.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,13 @@
contents: read
pull-requests: read

# Release validation runs post-build via workflow_run on the "Release" builder
# completing (DEVOPS-1050). On that path detect_changes is skipped, the suite
# runs against the built tag, and the label filter falls back to the default.
on:
release:
types: [created]
workflow_run:
workflows: ["Release"]
types: [completed]
workflow_dispatch:
inputs:
ginkgo-label:
Expand Down Expand Up @@ -44,7 +48,8 @@
jobs:
parse_label-filter:
name: Parse label filter and check if tests should run
if: github.repository_owner == 'loft-sh' # do not run on forks
# do not run on forks; on the release path only for a green build
if: github.repository_owner == 'loft-sh' && (github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success')
runs-on: ubuntu-22.04

outputs:
Expand Down Expand Up @@ -97,6 +102,9 @@
echo "parsed-label-filter=${PARSED_LABEL_FILTER}" >> "$GITHUB_OUTPUT"

detect_changes:
# PR-only: the release (workflow_run) path always validates and bypasses
# change detection; entry jobs break skip-propagation with !cancelled().
if: github.event_name == 'pull_request'
needs: [parse_label-filter]
uses: loft-sh/github-actions/.github/workflows/detect-changes.yaml@detect-changes/v1
with:
Expand All @@ -115,13 +123,20 @@

build:
runs-on: ubuntu-latest
if: github.repository_owner == 'loft-sh' && needs.detect_changes.outputs.has_changed == 'true'
if: >-
!cancelled() && github.repository_owner == 'loft-sh' &&
(
(github.event_name == 'pull_request' && needs.detect_changes.outputs.has_changed == 'true') ||
(github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') ||
github.event_name == 'workflow_dispatch'
)
needs: detect_changes
steps:
- name: Checkout repository
uses: actions/checkout@v5
with:
fetch-depth: 0
ref: ${{ github.event.workflow_run.head_branch || github.ref }}

- run: git fetch --force --tags

Expand Down Expand Up @@ -163,7 +178,13 @@

download-latest-cli:
needs: detect_changes
if: needs.detect_changes.outputs.has_changed == 'true'
if: >-
!cancelled() &&
(
(github.event_name == 'pull_request' && needs.detect_changes.outputs.has_changed == 'true') ||
(github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') ||
github.event_name == 'workflow_dispatch'
)
name: Download the latest vCluster cli
runs-on: ubuntu-latest
steps:
Expand All @@ -183,20 +204,26 @@
- build
- parse_label-filter
- detect_changes
if: >
if: >-
!cancelled() && needs.build.result == 'success' &&
needs.parse_label-filter.outputs.skip-edited != 'true' &&
needs.detect_changes.outputs.has_changed == 'true'
(
(github.event_name == 'pull_request' && needs.detect_changes.outputs.has_changed == 'true') ||
(github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') ||
github.event_name == 'workflow_dispatch'
)
runs-on: large-8_32
permissions:
id-token: write # needed for OIDC → AWS
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v5
with:
fetch-depth: 0
ref: ${{ github.event.workflow_run.head_branch || github.ref }}

- run: git fetch --force --tags

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Checkout of untrusted code in a privileged workflow with later potential execution (event trigger:
workflow_run
).

- name: Set up Go
uses: actions/setup-go@v6
Expand Down
70 changes: 62 additions & 8 deletions .github/workflows/e2e.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,14 @@
name: E2E CI

# Release validation runs post-build via workflow_run on the "Release" builder
# completing (DEVOPS-1050): a release created by the builder inside Actions does
# not emit release:created, so validators keyed on it would silently never run.
# On the workflow_run path detect_changes is skipped and the suite runs against
# the built tag (github.event.workflow_run.head_branch).
on:
release:
types: [created]
workflow_run:
workflows: ["Release"]
types: [completed]
pull_request:
branches:
- main
Expand All @@ -22,31 +28,41 @@

jobs:
detect_changes:
# PR-only: the release (workflow_run) path always validates, so it bypasses
# change detection. Entry jobs break the skip-propagation with !cancelled().
if: github.event_name == 'pull_request'
uses: loft-sh/github-actions/.github/workflows/detect-changes.yaml@v1
with:
paths: |
- "go.mod"
- "go.sum"
- "**.go"
- "!**_test.go" # exclude test files to ignore unit test changes
- "test/**" # include test files in e2e again
- "!e2e-next/**" # exclude e2e-next tests
- "!**.md"
- "Dockerfile.release"
- ".github/workflows/e2e.yaml"
- "chart/**"
- "manifests/**"

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
build:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
runs-on: ubuntu-latest
if: github.repository_owner == 'loft-sh' && needs.detect_changes.outputs.has_changed == 'true'
if: >-
!cancelled() && github.repository_owner == 'loft-sh' &&
(
(github.event_name == 'pull_request' && needs.detect_changes.outputs.has_changed == 'true') ||
(github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') ||
github.event_name == 'workflow_dispatch'
)
needs: detect_changes
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
fetch-depth: 0
ref: ${{ github.event.workflow_run.head_branch || github.ref }}

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context High

Checkout of untrusted code in a privileged workflow with later potential execution (event trigger:
workflow_run
).
- run: git fetch --force --tags

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context High

Checkout of untrusted code in a privileged workflow with later potential execution (event trigger:
workflow_run
).

- name: Set up Go
uses: actions/setup-go@v6
Expand Down Expand Up @@ -87,12 +103,20 @@

get-testsuites-dir:
needs: detect_changes
if: needs.detect_changes.outputs.has_changed == 'true'
if: >-
!cancelled() &&
(
(github.event_name == 'pull_request' && needs.detect_changes.outputs.has_changed == 'true') ||
(github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') ||
github.event_name == 'workflow_dispatch'
)
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
ref: ${{ github.event.workflow_run.head_branch || github.ref }}

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context High

Checkout of untrusted code in a privileged workflow with later potential execution (event trigger:
workflow_run
).
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
- id: set-paths-matrix

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context High

Checkout of untrusted code in a privileged workflow with later potential execution (event trigger:
workflow_run
).
run: |
set -x
sudo apt-get install -y jq
Expand All @@ -106,13 +130,21 @@
needs:
- build
- detect_changes
if: needs.detect_changes.outputs.has_changed == 'true'
if: >-
!cancelled() && needs.build.result == 'success' &&
(
(github.event_name == 'pull_request' && needs.detect_changes.outputs.has_changed == 'true') ||
(github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') ||
github.event_name == 'workflow_dispatch'
)
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
ref: ${{ github.event.workflow_run.head_branch || github.ref }}

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Checkout of untrusted code in a privileged workflow with later potential execution (event trigger:
workflow_run
).
Checkout of untrusted code in a privileged workflow with later potential execution (event trigger:
workflow_run
).
- uses: azure/setup-helm@v4

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Checkout of untrusted code in a privileged workflow with later potential execution (event trigger:
workflow_run
).
Checkout of untrusted code in a privileged workflow with later potential execution (event trigger:
workflow_run
).
name: Setup Helm
with:
version: "v3.11.0"
Expand Down Expand Up @@ -146,24 +178,30 @@
name: vcluster_syncer

- name: Setup environment
run: |
docker load -i vcluster_syncer
docker save "${{ env.REPOSITORY_NAME }}:${{ env.TAG_NAME }}" | docker exec -i vcluster.cp.vind ctr -n k8s.io images import -
chmod +x vcluster && sudo mv vcluster /usr/bin

- name: Run tests - install and delete virtual cluster using kubectl

Check failure

Code scanning / CodeQL

Cache Poisoning via execution of untrusted code High

Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. (
workflow_run
).
run: |
set -x
./hack/vcluster-install-scripts/test-kubectl-install.sh

- name: Run tests - install and delete virtual cluster using helm

Check failure

Code scanning / CodeQL

Cache Poisoning via execution of untrusted code High

Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. (
workflow_run
).

Check failure

Code scanning / CodeQL

Cache Poisoning via execution of untrusted code High

Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. (
workflow_run
).
run: |
set -x
./hack/vcluster-install-scripts/test-helm-install.sh

download-latest-cli:

Check failure

Code scanning / CodeQL

Cache Poisoning via execution of untrusted code High

Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. (
workflow_run
).
needs: detect_changes
if: needs.detect_changes.outputs.has_changed == 'true'
if: >-
!cancelled() &&
(
(github.event_name == 'pull_request' && needs.detect_changes.outputs.has_changed == 'true') ||
(github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') ||
github.event_name == 'workflow_dispatch'
)
name: Download the latest vCluster cli
runs-on: ubuntu-latest
steps:
Expand All @@ -183,17 +221,25 @@
- build
- download-latest-cli
- detect_changes
if: needs.detect_changes.outputs.has_changed == 'true'
if: >-
!cancelled() && needs.build.result == 'success' && needs.download-latest-cli.result == 'success' &&
(
(github.event_name == 'pull_request' && needs.detect_changes.outputs.has_changed == 'true') ||
(github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') ||
github.event_name == 'workflow_dispatch'
)
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
distribution: ["k8s"]
steps:
- name: Checkout repository

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Checkout of untrusted code in a privileged workflow with later potential execution (event trigger:
workflow_run
).
Checkout of untrusted code in a privileged workflow with later potential execution (event trigger:
workflow_run
).
uses: actions/checkout@v6
with:
ref: ${{ github.event.workflow_run.head_branch || github.ref }}

- uses: azure/setup-helm@v4

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Checkout of untrusted code in a privileged workflow with later potential execution (event trigger:
workflow_run
).
Checkout of untrusted code in a privileged workflow with later potential execution (event trigger:
workflow_run
).
name: Setup Helm
with:
version: "v3.11.0"
Expand Down Expand Up @@ -227,58 +273,64 @@

- name: Download current cli
uses: actions/download-artifact@v7
with:
name: vcluster-current

- name: Download syncer image
uses: actions/download-artifact@v7
with:
name: vcluster_syncer

- name: Install yq@v4
run: go install github.com/mikefarah/yq/v4@latest

- name: create vcluster with current cli
run: |
chmod +x ./vcluster-current

docker load --input vcluster_syncer
docker save "${{ env.REPOSITORY_NAME }}:${{ env.TAG_NAME }}" | docker exec -i vcluster.cp.vind ctr -n k8s.io images import -

Check failure

Code scanning / CodeQL

Cache Poisoning via execution of untrusted code High

Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. (
workflow_run
).
yq eval '.controlPlane.distro.${{ matrix.distribution }}.enabled = true' > ./test/vcluster-current.yaml

./vcluster-current create ${{ env.VCLUSTER_SUFFIX }} -n ${{ env.VCLUSTER_NAMESPACE }} \
--create-namespace \
--debug \
--connect=false \
-f ./test/vcluster-current.yaml

./hack/wait-for-pod.sh -l app=${{ env.VCLUSTER_SUFFIX }} -n ${{ env.VCLUSTER_NAMESPACE }}

- name: upgrade with the dev cli

Check failure

Code scanning / CodeQL

Cache Poisoning via execution of untrusted code High

Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. (
workflow_run
).
run: |
chmod +x ./vcluster-dev/vcluster
set -x

sed -i "s|REPLACE_REPOSITORY_NAME|${{ env.REPOSITORY_NAME }}|g" test/commonValues.yaml
sed -i "s|REPLACE_TAG_NAME|${{ env.TAG_NAME }}|g" test/commonValues.yaml

Check failure

Code scanning / CodeQL

Cache Poisoning via execution of untrusted code High

Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. (
workflow_run
).
sed -i "s|kind-control-plane|${{ steps.cluster-info.outputs.HOST_NODE_NAME }}|g" test/commonValues.yaml
yq eval -i '.controlPlane.distro.${{ matrix.distribution }}.enabled = true' test/commonValues.yaml

./vcluster-dev/vcluster create vcluster \
--connect=false \
--upgrade \
--local-chart-dir ./chart \
-f ./test/commonValues.yaml

./hack/wait-for-pod.sh -l app=${{ env.VCLUSTER_SUFFIX }} -n ${{ env.VCLUSTER_NAMESPACE }}

e2e-tests:

Check failure

Code scanning / CodeQL

Cache Poisoning via execution of untrusted code High

Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. (
workflow_run
).
name: Execute test suites
needs:
- build
- get-testsuites-dir
- detect_changes
if: needs.detect_changes.outputs.has_changed == 'true'
if: >-
!cancelled() && needs.build.result == 'success' && needs.get-testsuites-dir.result == 'success' &&
(
(github.event_name == 'pull_request' && needs.detect_changes.outputs.has_changed == 'true') ||
(github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') ||
github.event_name == 'workflow_dispatch'
)
runs-on: ubuntu-latest
permissions:
id-token: write # needed for OIDC → AWS
Expand All @@ -290,17 +342,19 @@
test-suite-path: ${{fromJson(needs.get-testsuites-dir.outputs.matrix)}}
ha: ["false", "true"]
include:
- distribution: "k8s"
ha: "true"
test-suite-path: "./test/e2e"
exclude:
- ha: "true"

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Checkout of untrusted code in a privileged workflow with later potential execution (event trigger:
workflow_run
).
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
ref: ${{ github.event.workflow_run.head_branch || github.ref }}

- name: Set up Go

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Checkout of untrusted code in a privileged workflow with later potential execution (event trigger:
workflow_run
).
uses: actions/setup-go@v6
with:
go-version-file: go.mod
Expand Down
21 changes: 15 additions & 6 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
@@ -1,20 +1,26 @@
name: Release

# Builder for the vCluster release pipeline (DEVOPS-1050). The GitHub Release is
# a pipeline OUTPUT, not a trigger: goreleaser creates it at the end of a green
# build. This workflow is dispatched by the loft-sh/github-actions
# vcluster-release action via `gh workflow run release.yaml --ref <tag>`, so
# github.ref is refs/tags/<version> and github.ref_name is the version. It no
# longer triggers on release:created, so a monorepo-created OSS release can never
# re-trigger this builder.
on:
release:
types: [created]
workflow_dispatch:

jobs:
check_minimum_version_tag:
if: github.repository_owner == 'loft-sh'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
if: ${{ !contains(github.event.release.tag_name, '-') }}
if: ${{ !contains(github.ref_name, '-') }}
with:
ref: ${{ github.event.release.tag_name }}
ref: ${{ github.ref_name }}
- name: Validate MinimumVersionTag is stable
if: ${{ !contains(github.event.release.tag_name, '-') }}
if: ${{ !contains(github.ref_name, '-') }}
run: |
MINIMUM_VERSION_TAG=$(grep -oP 'MinimumVersionTag\s*=\s*"\Kv[^"]+' pkg/platform/version.go)
if [[ ! "$MINIMUM_VERSION_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
Expand Down Expand Up @@ -76,7 +82,10 @@ jobs:
run: |
RELEASE_VERSION=$(echo "$GITHUB_REF" | sed -nE 's!refs/tags/!!p')
echo "release_version=$RELEASE_VERSION" >> "$GITHUB_OUTPUT"
echo "previous_tag=$(git describe --abbrev=0 --tags "$(git rev-list --tags --skip=1 --max-count=1)")" >> "$GITHUB_OUTPUT"
# Branch-local previous tag: the tag reachable from this commit's
# parent on THIS branch, not the global latest tag (which would be
# wrong on a release branch). See DEVOPS-1050.
echo "previous_tag=$(git describe --tags --abbrev=0 --match 'v*' "${GITHUB_SHA}^" 2>/dev/null || true)" >> "$GITHUB_OUTPUT"
- name: Validate semver
id: semver
uses: loft-sh/github-actions/.github/actions/semver-validation@semver-validation/v1
Expand Down
18 changes: 14 additions & 4 deletions .github/workflows/unit-tests.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,12 @@
name: Unit tests

# Runs on PRs and, post-build, when the "Release" builder completes (DEVOPS-1050:
# release:created does not fire for builder-created releases). On the workflow_run
# path the jobs run only for a green build and check out the built tag.
on:
release:
types: [created]
workflow_run:
workflows: ["Release"]
types: [completed]
pull_request:
branches:
- main
Expand All @@ -23,12 +27,15 @@
jobs:
helm-unit-tests:
name: Execute all helm tests
if: github.repository_owner == 'loft-sh' # do not run on forks
# do not run on forks; on the release path only for a green build
if: github.repository_owner == 'loft-sh' && (github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success')
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
with:
ref: ${{ github.event.workflow_run.head_branch || github.ref }}
- name: Install Helm Unit Test Plugin

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context High

Checkout of untrusted code in a privileged workflow with later potential execution (event trigger:
workflow_run
).
run: |
helm plugin install https://github.com/helm-unittest/helm-unittest --version v0.4.4
- name: Run Helm Unit Tests
Expand All @@ -37,15 +44,18 @@

go-unit-test:
name: Execute all go tests
if: github.repository_owner == 'loft-sh' # do not run on forks
# do not run on forks; on the release path only for a green build
if: github.repository_owner == 'loft-sh' && (github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success')
runs-on: ubuntu-22.04
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v6
with:
ref: ${{ github.event.workflow_run.head_branch || github.ref }}
- name: Set up Go

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Checkout of untrusted code in a privileged workflow with later potential execution (event trigger:
workflow_run
).
uses: actions/setup-go@v6
with:
go-version-file: go.mod
cache: false
- name: Execute unit tests
run: ./hack/test.sh

Check failure

Code scanning / CodeQL

Cache Poisoning via execution of untrusted code High

Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. (
workflow_run
).
Loading