[Snyk] Fix for 1 vulnerabilities #69
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## IMPORTANT NOTE TO EDITORS OF THIS FILE ## | |
## Note that when you create a PR the jobs in this file are triggered off the | |
## `pull_request_target` event instead of `pull_request` event. This is because | |
## the `pull_request` event makes secrets only available to PRs from branches, | |
## not from forks, and some of these jobs require secrets. So with `pull_request_target` | |
## we're making secrets available to fork-based PRs too. Using `pull_request_target" | |
## has a side effect, which is that the workflow execution will be driven by the | |
## state of the <workflow>.yaml on the `main` (=target) branch, even if you edited | |
## the <workflow>.yaml in your PR. So when you for example add a new job here, you | |
## won't see that job appear in the PR itself. It will only become effective once | |
## you merge the PR to main. Therefore, if you want to add a new job here and want | |
## to test it's functionality prior to a merge to main, you have to to _temporarily_ | |
## change the trigger event from `pull_request_target` to `pull_request`. | |
## Additionally, because `pull_request_target` gets secrets injected for forked PRs | |
## we use `https://github.com/sushichop/action-repository-permission` to ensure these | |
## jobs are only executed when a repo member with "write" permission has triggered | |
## the workflow (directly through a push or indirectly by applying a label or enabling | |
## auto_merge). | |
name: "Build+Test Docker Images" | |
on: # build on main branch OR when a PR is labeled with `CICD:build-images` | |
# Allow us to run this specific workflow without a PR | |
workflow_dispatch: | |
pull_request_target: | |
types: [labeled, opened, synchronize, reopened, auto_merge_enabled] | |
# For PR that modify .github, run from that PR | |
# This will fail to get secrets if you are not from aptos | |
pull_request: | |
types: [labeled, opened, synchronize, reopened, auto_merge_enabled] | |
paths: | |
- ".github/workflows/docker-build-test.yaml" | |
- ".github/workflows/run-forge.yaml" | |
- ".github/workflows/docker-rust-build.yaml" | |
- ".github/workflows/sdk-release.yaml" | |
push: | |
branches: | |
- main | |
- auto | |
- canary | |
- chaotic | |
- devnet | |
- testnet | |
- mainnet | |
# cancel redundant builds | |
concurrency: | |
# for push and workflow_dispatch events we use `github.sha` in the concurrency group and don't really cancel each other out/limit concurrency | |
# for pull_request events newer jobs cancel earlier jobs to save on CI etc. | |
group: ${{ github.workflow }}-${{ github.event_name }}-${{ (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.sha || github.head_ref || github.ref }} | |
cancel-in-progress: true | |
env: | |
GCP_DOCKER_ARTIFACT_REPO: ${{ secrets.GCP_DOCKER_ARTIFACT_REPO }} | |
AWS_ECR_ACCOUNT_NUM: ${{ secrets.ENV_ECR_AWS_ACCOUNT_NUM }} | |
# In case of pull_request events by default github actions merges main into the PR branch and then runs the tests etc | |
# on the prospective merge result instead of only on the tip of the PR. | |
# For more info also see https://github.com/actions/checkout#checkout-pull-request-head-commit-instead-of-merge-commit | |
GIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }} | |
# TARGET_CACHE_ID is used as part of the docker tag / cache key inside our bake.hcl docker bake files. | |
# The goal here is to have a branch or PR-local cache such that consecutive pushes to a shared branch or a specific PR can | |
# reuse layers from a previous docker build/commit. | |
# We use `pr-<pr_number>` as cache-id for PRs and simply <branch_name> otherwise. | |
TARGET_CACHE_ID: ${{ github.event.number && format('pr-{0}', github.event.number) || github.ref_name }} | |
permissions: | |
contents: read | |
id-token: write #required for GCP Workload Identity federation which we use to login into Google Artifact Registry | |
issues: write | |
pull-requests: write | |
# Note on the job-level `if` conditions: | |
# This workflow is designed such that: | |
# 1. Run ALL jobs when a 'push', 'workflow_dispatch' triggered the workflow or on 'pull_request's which have set auto_merge=true or have the label "CICD:run-e2e-tests". | |
# 2. Run ONLY the docker image building jobs on PRs with the "CICD:build-images" label. | |
# 3. Run NOTHING when neither 1. or 2.'s conditions are satisfied. | |
jobs: | |
permission-check: | |
if: | | |
github.event_name == 'push' || | |
github.event_name == 'workflow_dispatch' || | |
contains(github.event.pull_request.labels.*.name, 'CICD:build-images') || | |
contains(github.event.pull_request.labels.*.name, 'CICD:run-e2e-tests') || | |
github.event.pull_request.auto_merge != null || | |
contains(github.event.pull_request.body, '#e2e') | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check repository permission for user which triggered workflow | |
uses: sushichop/action-repository-permission@13d208f5ae7a6a3fc0e5a7c2502c214983f0241c | |
with: | |
required-permission: write | |
comment-not-permitted: Sorry, you don't have permission to trigger this workflow. | |
# Because the docker build happens in a reusable workflow, have a separate job that collects the right metadata | |
# for the subsequent docker builds. Reusable workflows do not currently have the "env" context: https://github.com/orgs/community/discussions/26671 | |
determine-docker-build-metadata: | |
runs-on: ubuntu-latest | |
steps: | |
- name: collect metadata | |
run: | | |
echo "GIT_SHA: ${{ env.GIT_SHA }}" | |
echo "TARGET_CACHE_ID: ${{ env.TARGET_CACHE_ID }}" | |
outputs: | |
gitSha: ${{ env.GIT_SHA }} | |
targetCacheId: ${{ env.TARGET_CACHE_ID }} | |
rust-images: | |
needs: [permission-check, determine-docker-build-metadata] | |
uses: ./.github/workflows/docker-rust-build.yaml | |
secrets: inherit | |
with: | |
GIT_SHA: ${{ needs.determine-docker-build-metadata.outputs.gitSha }} | |
TARGET_CACHE_ID: ${{ needs.determine-docker-build-metadata.outputs.targetCacheId }} | |
PROFILE: release | |
BUILD_ADDL_TESTING_IMAGES: true | |
rust-images-indexer: | |
needs: [permission-check, determine-docker-build-metadata] | |
uses: ./.github/workflows/docker-rust-build.yaml | |
secrets: inherit | |
with: | |
GIT_SHA: ${{ needs.determine-docker-build-metadata.outputs.gitSha }} | |
TARGET_CACHE_ID: ${{ needs.determine-docker-build-metadata.outputs.targetCacheId }} | |
PROFILE: release | |
FEATURES: indexer | |
BUILD_ADDL_TESTING_IMAGES: true | |
rust-images-failpoints: | |
needs: [permission-check, determine-docker-build-metadata] | |
uses: ./.github/workflows/docker-rust-build.yaml | |
secrets: inherit | |
with: | |
GIT_SHA: ${{ needs.determine-docker-build-metadata.outputs.gitSha }} | |
TARGET_CACHE_ID: ${{ needs.determine-docker-build-metadata.outputs.targetCacheId }} | |
PROFILE: release | |
FEATURES: failpoints | |
BUILD_ADDL_TESTING_IMAGES: true | |
rust-images-performance: | |
needs: [permission-check, determine-docker-build-metadata] | |
uses: ./.github/workflows/docker-rust-build.yaml | |
secrets: inherit | |
with: | |
GIT_SHA: ${{ needs.determine-docker-build-metadata.outputs.gitSha }} | |
TARGET_CACHE_ID: ${{ needs.determine-docker-build-metadata.outputs.targetCacheId }} | |
PROFILE: performance | |
BUILD_ADDL_TESTING_IMAGES: true | |
sdk-release: | |
needs: [rust-images, determine-docker-build-metadata] | |
if: | | |
!contains(github.event.pull_request.labels.*.name, 'CICD:skip-sdk-integration-test') && ( | |
github.event_name == 'push' || | |
github.event_name == 'workflow_dispatch' || | |
contains(github.event.pull_request.labels.*.name, 'CICD:run-e2e-tests') || | |
github.event.pull_request.auto_merge != null) || | |
contains(github.event.pull_request.body, '#e2e') | |
uses: ./.github/workflows/sdk-release.yaml | |
secrets: inherit | |
with: | |
GIT_SHA: ${{ needs.determine-docker-build-metadata.outputs.gitSha }} | |
forge-e2e-test: | |
needs: [rust-images, rust-images-failpoints, determine-docker-build-metadata] | |
if: | | |
!contains(github.event.pull_request.labels.*.name, 'CICD:skip-forge-e2e-test') && ( | |
(github.event_name == 'push' && github.ref_name != 'main') || | |
github.event_name == 'workflow_dispatch' || | |
contains(github.event.pull_request.labels.*.name, 'CICD:run-e2e-tests') || | |
github.event.pull_request.auto_merge != null || | |
contains(github.event.pull_request.body, '#e2e') | |
) | |
uses: ./.github/workflows/run-forge.yaml | |
secrets: inherit | |
with: | |
GIT_SHA: ${{ needs.determine-docker-build-metadata.outputs.gitSha }} | |
COMMENT_HEADER: forge-e2e | |
# Use the cache ID as the Forge namespace so we can limit Forge test concurrency on k8s, since Forge | |
# test lifecycle is separate from that of GHA. This protects us from the case where many Forge tests are triggered | |
# by this GHA. If there is a Forge namespace collision, Forge will pre-empt the existing test running in the namespace. | |
FORGE_NAMESPACE: forge-e2e-${{ needs.determine-docker-build-metadata.outputs.targetCacheId }} | |
# Run e2e compat test against testnet branch | |
forge-compat-test: | |
needs: [rust-images, rust-images-failpoints, determine-docker-build-metadata] | |
if: | | |
!contains(github.event.pull_request.labels.*.name, 'CICD:skip-forge-e2e-test') && ( | |
(github.event_name == 'push' && github.ref_name != 'main') || | |
github.event_name == 'workflow_dispatch' || | |
contains(github.event.pull_request.labels.*.name, 'CICD:run-e2e-tests') || | |
github.event.pull_request.auto_merge != null || | |
contains(github.event.pull_request.body, '#e2e') | |
) | |
uses: ./.github/workflows/run-forge.yaml | |
secrets: inherit | |
with: | |
GIT_SHA: ${{ needs.determine-docker-build-metadata.outputs.gitSha }} | |
FORGE_TEST_SUITE: compat | |
IMAGE_TAG: testnet_2d8b1b57553d869190f61df1aaf7f31a8fc19a7b # test against the latest build on testnet branch | |
FORGE_RUNNER_DURATION_SECS: 300 | |
COMMENT_HEADER: forge-compat | |
# Use the cache ID as the Forge namespace so we can limit Forge test concurrency on k8s, since Forge | |
# test lifecycle is separate from that of GHA. This protects us from the case where many Forge tests are triggered | |
# by this GHA. If there is a Forge namespace collision, Forge will pre-empt the existing test running in the namespace. | |
FORGE_NAMESPACE: forge-compat-${{ needs.determine-docker-build-metadata.outputs.targetCacheId }} |