From 3fe694709622420eaf04156ab17aff7f9959478f Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 22 Jul 2022 10:56:53 +0200 Subject: [PATCH 01/18] chore(ci): confirm workflow_run event --- .github/workflows/on_opened_pr.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml index 3d5aab45b5d..4e74530f8c5 100644 --- a/.github/workflows/on_opened_pr.yml +++ b/.github/workflows/on_opened_pr.yml @@ -19,6 +19,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + - name: "Debug workflow_run event" + run: echo ${{ toJSON(github.event) }} - name: "Ensure related issue is present" uses: actions/github-script@v6 env: From 61a492241d84414bc5215e19b74d6730a5d51fba Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 22 Jul 2022 10:58:38 +0200 Subject: [PATCH 02/18] chore: dummy for PR test --- .github/workflows/on_opened_pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml index 4e74530f8c5..64b9a8897a6 100644 --- a/.github/workflows/on_opened_pr.yml +++ b/.github/workflows/on_opened_pr.yml @@ -20,7 +20,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: "Debug workflow_run event" - run: echo ${{ toJSON(github.event) }} + run: echo "${{ toJSON(github.event) }}" - name: "Ensure related issue is present" uses: actions/github-script@v6 env: From b44b462e7d45c53cdc5925a43f372888f58a373d Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 22 Jul 2022 11:05:24 +0200 Subject: [PATCH 03/18] chore: print full event depth --- .github/workflows/on_opened_pr.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml index 64b9a8897a6..15cf5db0d92 100644 --- a/.github/workflows/on_opened_pr.yml +++ b/.github/workflows/on_opened_pr.yml @@ -20,7 +20,9 @@ jobs: steps: - uses: actions/checkout@v3 - name: "Debug workflow_run event" - run: echo "${{ toJSON(github.event) }}" + env: + event_payload: ${{ toJSON(github.event) }} + run: echo $event_payload - name: "Ensure related issue is present" uses: actions/github-script@v6 env: From fd3fc0f6753ccad6e0768e85c55e84d96cbd5d84 Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 22 Jul 2022 11:10:54 +0200 Subject: [PATCH 04/18] chore: print full workflow event depth --- .github/workflows/on_opened_pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml index 15cf5db0d92..b2b0950537e 100644 --- a/.github/workflows/on_opened_pr.yml +++ b/.github/workflows/on_opened_pr.yml @@ -21,7 +21,7 @@ jobs: - uses: actions/checkout@v3 - name: "Debug workflow_run event" env: - event_payload: ${{ toJSON(github.event) }} + event_payload: ${{ toJSON(github) }} run: echo $event_payload - name: "Ensure related issue is present" uses: actions/github-script@v6 From 2de2bac3f3285393498a990e98b6f94f74e1fd65 Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 22 Jul 2022 11:29:48 +0200 Subject: [PATCH 05/18] chore: debug full event --- .github/scripts/enforce_acknowledgment.js | 40 +++++++++++++++++++++++ .github/workflows/on_opened_pr.yml | 4 +-- 2 files changed, 41 insertions(+), 3 deletions(-) create mode 100644 .github/scripts/enforce_acknowledgment.js diff --git a/.github/scripts/enforce_acknowledgment.js b/.github/scripts/enforce_acknowledgment.js new file mode 100644 index 00000000000..3e3be636ede --- /dev/null +++ b/.github/scripts/enforce_acknowledgment.js @@ -0,0 +1,40 @@ +const { +PR_ACTION, +PR_AUTHOR, +PR_BODY, +PR_NUMBER, +IGNORE_AUTHORS, +LABEL_BLOCK, +LABEL_BLOCK_REASON +} = require("./constants") + +module.exports = async ({github, context, core}) => { + if (IGNORE_AUTHORS.includes(PR_AUTHOR)) { + return core.notice("Author in IGNORE_AUTHORS list; skipping...") + } + + if (PR_ACTION != "opened") { + return core.notice("Only newly open PRs are labelled to avoid spam; skipping") + } + + const RELATED_ISSUE_REGEX = /Issue number:[^\d\r\n]+(?\d+)/; + const isMatch = RELATED_ISSUE_REGEX.exec(PR_BODY); + if (isMatch == null) { + core.info(`No related issue found, maybe the author didn't use the template but there is one.`) + + let msg = "No related issues found. Please ensure there is an open issue related to this change to avoid significant delays or closure."; + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + body: msg, + issue_number: PR_NUMBER, + }); + + return await github.rest.issues.addLabels({ + issue_number: PR_NUMBER, + owner: context.repo.owner, + repo: context.repo.repo, + labels: [LABEL_BLOCK, LABEL_BLOCK_REASON] + }) + } +} diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml index b2b0950537e..385bdfffa85 100644 --- a/.github/workflows/on_opened_pr.yml +++ b/.github/workflows/on_opened_pr.yml @@ -20,9 +20,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: "Debug workflow_run event" - env: - event_payload: ${{ toJSON(github) }} - run: echo $event_payload + run: echo "${{ github }}" - name: "Ensure related issue is present" uses: actions/github-script@v6 env: From 879fcbe8c4e23f12dee0c3047f06b15992ecabe2 Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 22 Jul 2022 12:38:37 +0200 Subject: [PATCH 06/18] chore(ci): experiment hardening origin --- .github/workflows/label_pr_on_title.yml | 1 + .github/workflows/on_merged_pr.yml | 1 + .github/workflows/on_opened_pr.yml | 2 ++ .github/workflows/reusable_export_pr_details.yml | 6 ++++++ 4 files changed, 10 insertions(+) diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml index 562959bb516..3815a49e9bd 100644 --- a/.github/workflows/label_pr_on_title.yml +++ b/.github/workflows/label_pr_on_title.yml @@ -14,6 +14,7 @@ jobs: uses: ./.github/workflows/reusable_export_pr_details.yml with: record_pr_workflow_id: ${{ github.event.workflow_run.id }} + workflow_origin: ${{ github.event.repository.full_name }} secrets: token: ${{ secrets.GITHUB_TOKEN }} label_pr: diff --git a/.github/workflows/on_merged_pr.yml b/.github/workflows/on_merged_pr.yml index 3f1bcb57237..cd97e1c306e 100644 --- a/.github/workflows/on_merged_pr.yml +++ b/.github/workflows/on_merged_pr.yml @@ -12,6 +12,7 @@ jobs: uses: ./.github/workflows/reusable_export_pr_details.yml with: record_pr_workflow_id: ${{ github.event.workflow_run.id }} + workflow_origin: ${{ github.event.repository.full_name }} secrets: token: ${{ secrets.GITHUB_TOKEN }} release_label_on_merge: diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml index 385bdfffa85..39bdf612c7f 100644 --- a/.github/workflows/on_opened_pr.yml +++ b/.github/workflows/on_opened_pr.yml @@ -10,8 +10,10 @@ jobs: get_pr_details: if: ${{ github.event.workflow_run.conclusion == 'success' }} uses: ./.github/workflows/reusable_export_pr_details.yml + env: with: record_pr_workflow_id: ${{ github.event.workflow_run.id }} + workflow_origin: ${{ github.event.repository.full_name }} secrets: token: ${{ secrets.GITHUB_TOKEN }} check_related_issue: diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml index dcbb959a4ea..dce5017c085 100644 --- a/.github/workflows/reusable_export_pr_details.yml +++ b/.github/workflows/reusable_export_pr_details.yml @@ -6,6 +6,11 @@ on: record_pr_workflow_id: required: true type: number + # this protects from anyone mimicking "Record PR details" dependency + # regardless of our untrusted input validation + workflow_origin: + required: true + type: string secrets: token: required: true @@ -32,6 +37,7 @@ on: jobs: export_pr_details: + if: inputs.workflow_origin == "bla/bla" runs-on: ubuntu-latest env: FILENAME: pr.txt From b1973b2a8a3b34d1e8868da5049974c712116d48 Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 22 Jul 2022 12:43:01 +0200 Subject: [PATCH 07/18] chore(ci): experiment hardening origin --- .github/workflows/reusable_export_pr_details.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml index dce5017c085..1c940c7899e 100644 --- a/.github/workflows/reusable_export_pr_details.yml +++ b/.github/workflows/reusable_export_pr_details.yml @@ -37,7 +37,7 @@ on: jobs: export_pr_details: - if: inputs.workflow_origin == "bla/bla" + if: inputs.workflow_origin == "dummy_org/dummy_repo" runs-on: ubuntu-latest env: FILENAME: pr.txt From ab6fe51fc363bb72d3b08f62d150ffc038cdf887 Mon Sep 17 00:00:00 2001 From: Heitor Lessa Date: Fri, 22 Jul 2022 12:46:08 +0200 Subject: [PATCH 08/18] fix(ci): unexpected symbol due to double quotes... --- .github/workflows/reusable_export_pr_details.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml index dce5017c085..354a37e56c9 100644 --- a/.github/workflows/reusable_export_pr_details.yml +++ b/.github/workflows/reusable_export_pr_details.yml @@ -37,7 +37,7 @@ on: jobs: export_pr_details: - if: inputs.workflow_origin == "bla/bla" + if: inputs.workflow_origin == 'bla/bla' runs-on: ubuntu-latest env: FILENAME: pr.txt From 79c4fbddcf3b657d1a04dde472588aa9e27f54e8 Mon Sep 17 00:00:00 2001 From: Heitor Lessa Date: Fri, 22 Jul 2022 12:47:19 +0200 Subject: [PATCH 09/18] fix(ci): remove unsupported env in workflow_call --- .github/workflows/on_opened_pr.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml index 39bdf612c7f..2663d605325 100644 --- a/.github/workflows/on_opened_pr.yml +++ b/.github/workflows/on_opened_pr.yml @@ -10,7 +10,6 @@ jobs: get_pr_details: if: ${{ github.event.workflow_run.conclusion == 'success' }} uses: ./.github/workflows/reusable_export_pr_details.yml - env: with: record_pr_workflow_id: ${{ github.event.workflow_run.id }} workflow_origin: ${{ github.event.repository.full_name }} From b9e357b7c8a854f4af28c4ffb3c3852f7cf2eef7 Mon Sep 17 00:00:00 2001 From: Heitor Lessa Date: Fri, 22 Jul 2022 12:56:34 +0200 Subject: [PATCH 10/18] chore(ci): test default env --- .github/workflows/reusable_export_pr_details.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml index 354a37e56c9..af41f48fdb7 100644 --- a/.github/workflows/reusable_export_pr_details.yml +++ b/.github/workflows/reusable_export_pr_details.yml @@ -1,5 +1,8 @@ name: Export previously recorded PR +env: + TRUSTED_ORIGIN: "heitorlessa/aws-lambda-powertools-python" + on: workflow_call: inputs: @@ -37,7 +40,7 @@ on: jobs: export_pr_details: - if: inputs.workflow_origin == 'bla/bla' + if: inputs.workflow_origin == env.TRUSTED_ORIGIN runs-on: ubuntu-latest env: FILENAME: pr.txt From 53ecc244ed9f2f1d5c08f54da1eb5e34cc323671 Mon Sep 17 00:00:00 2001 From: Heitor Lessa Date: Fri, 22 Jul 2022 13:01:20 +0200 Subject: [PATCH 11/18] fix(ci): only event is resolved in cond --- .github/workflows/reusable_export_pr_details.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml index af41f48fdb7..1ada882020b 100644 --- a/.github/workflows/reusable_export_pr_details.yml +++ b/.github/workflows/reusable_export_pr_details.yml @@ -40,7 +40,7 @@ on: jobs: export_pr_details: - if: inputs.workflow_origin == env.TRUSTED_ORIGIN + if: ${{ inputs.workflow_origin == env.TRUSTED_ORIGIN }} runs-on: ubuntu-latest env: FILENAME: pr.txt From e38e96e59e00af5a7b3ded98c22c10085117116d Mon Sep 17 00:00:00 2001 From: Heitor Lessa Date: Fri, 22 Jul 2022 13:09:18 +0200 Subject: [PATCH 12/18] chore(ci): test env expr --- .github/workflows/reusable_export_pr_details.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml index 1ada882020b..b066dd2f585 100644 --- a/.github/workflows/reusable_export_pr_details.yml +++ b/.github/workflows/reusable_export_pr_details.yml @@ -40,7 +40,7 @@ on: jobs: export_pr_details: - if: ${{ inputs.workflow_origin == env.TRUSTED_ORIGIN }} + if: inputs.workflow_origin == ${{ env.TRUSTED_ORIGIN }} runs-on: ubuntu-latest env: FILENAME: pr.txt From e81d6b3138fd841e7d63bbcd7220815e29c93d55 Mon Sep 17 00:00:00 2001 From: Heitor Lessa Date: Fri, 22 Jul 2022 13:11:01 +0200 Subject: [PATCH 13/18] fix(ci): cond doesnt support two expr w/ env --- .github/workflows/reusable_export_pr_details.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml index b066dd2f585..37ca1c3b782 100644 --- a/.github/workflows/reusable_export_pr_details.yml +++ b/.github/workflows/reusable_export_pr_details.yml @@ -1,8 +1,5 @@ name: Export previously recorded PR -env: - TRUSTED_ORIGIN: "heitorlessa/aws-lambda-powertools-python" - on: workflow_call: inputs: @@ -40,7 +37,7 @@ on: jobs: export_pr_details: - if: inputs.workflow_origin == ${{ env.TRUSTED_ORIGIN }} + if: inputs.workflow_origin == 'heitorlessa/aws-lambda-powertools-python' runs-on: ubuntu-latest env: FILENAME: pr.txt From 93f56e96d34ec33e39ebfec224354363e3fab912 Mon Sep 17 00:00:00 2001 From: Heitor Lessa Date: Fri, 22 Jul 2022 13:15:18 +0200 Subject: [PATCH 14/18] chore(ci): test upstream job skip --- .github/workflows/reusable_export_pr_details.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml index 37ca1c3b782..c4ccdab9d99 100644 --- a/.github/workflows/reusable_export_pr_details.yml +++ b/.github/workflows/reusable_export_pr_details.yml @@ -37,7 +37,7 @@ on: jobs: export_pr_details: - if: inputs.workflow_origin == 'heitorlessa/aws-lambda-powertools-python' + if: inputs.workflow_origin == 'awslabs/aws-lambda-powertools-python' runs-on: ubuntu-latest env: FILENAME: pr.txt From 59d030983329cada59c3c609106f31ccd73cf294 Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 22 Jul 2022 13:58:44 +0200 Subject: [PATCH 15/18] chore: remove leftover from fork one more time --- .github/workflows/on_opened_pr.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml index 971fdd6b580..6c5979c8b80 100644 --- a/.github/workflows/on_opened_pr.yml +++ b/.github/workflows/on_opened_pr.yml @@ -20,8 +20,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: "Debug workflow_run event" - run: echo ${{ toJSON(github.event) }} - name: "Ensure related issue is present" uses: actions/github-script@v6 env: From f9e724b5e554067d48d6f2fd645169d6a33ff235 Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 22 Jul 2022 14:50:32 +0200 Subject: [PATCH 16/18] chore(ci): use OIDC creds and use encrypted secrets --- .github/workflows/publish.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 1c7cd4c2002..c2af2f2fae5 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -31,6 +31,7 @@ on: jobs: release: + environment: release runs-on: ubuntu-latest outputs: RELEASE_VERSION: ${{ steps.release_version.outputs.RELEASE_VERSION }} @@ -84,16 +85,15 @@ jobs: env: PYPI_USERNAME: __token__ PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }} + - name: aws credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-region: eu-west-1 + role-to-assume: ${{ secrets.AWS_SAR_ROLE_ARN }} - name: publish lambda layer in SAR by triggering the internal codepipeline run: | aws ssm put-parameter --name "powertools-python-release-version" --value $RELEASE_VERSION --overwrite - aws codepipeline start-pipeline-execution --name ${{ secrets.CODEPIPELINE_NAME }} - env: - # Maintenance: Migrate to new OAuth mechanism - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_DEFAULT_REGION: eu-west-1 - AWS_DEFAULT_OUTPUT: json + aws codepipeline start-pipeline-execution --name ${{ secrets.AWS_SAR_PIPELINE_NAME }} docs: needs: release From 28edb26d5d8727c4a6b7726e2a6172761aef034b Mon Sep 17 00:00:00 2001 From: Heitor Lessa Date: Fri, 22 Jul 2022 14:55:52 +0200 Subject: [PATCH 17/18] chore: delete leftover --- .github/scripts/enforce_acknowledgment.js | 40 ----------------------- 1 file changed, 40 deletions(-) delete mode 100644 .github/scripts/enforce_acknowledgment.js diff --git a/.github/scripts/enforce_acknowledgment.js b/.github/scripts/enforce_acknowledgment.js deleted file mode 100644 index 3e3be636ede..00000000000 --- a/.github/scripts/enforce_acknowledgment.js +++ /dev/null @@ -1,40 +0,0 @@ -const { -PR_ACTION, -PR_AUTHOR, -PR_BODY, -PR_NUMBER, -IGNORE_AUTHORS, -LABEL_BLOCK, -LABEL_BLOCK_REASON -} = require("./constants") - -module.exports = async ({github, context, core}) => { - if (IGNORE_AUTHORS.includes(PR_AUTHOR)) { - return core.notice("Author in IGNORE_AUTHORS list; skipping...") - } - - if (PR_ACTION != "opened") { - return core.notice("Only newly open PRs are labelled to avoid spam; skipping") - } - - const RELATED_ISSUE_REGEX = /Issue number:[^\d\r\n]+(?\d+)/; - const isMatch = RELATED_ISSUE_REGEX.exec(PR_BODY); - if (isMatch == null) { - core.info(`No related issue found, maybe the author didn't use the template but there is one.`) - - let msg = "No related issues found. Please ensure there is an open issue related to this change to avoid significant delays or closure."; - await github.rest.issues.createComment({ - owner: context.repo.owner, - repo: context.repo.repo, - body: msg, - issue_number: PR_NUMBER, - }); - - return await github.rest.issues.addLabels({ - issue_number: PR_NUMBER, - owner: context.repo.owner, - repo: context.repo.repo, - labels: [LABEL_BLOCK, LABEL_BLOCK_REASON] - }) - } -} From 35560e1b5453f1d68a9e2023551b8acd5a7e2307 Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 22 Jul 2022 14:56:15 +0200 Subject: [PATCH 18/18] chore: remove leftover from fork one more time --- .github/workflows/on_opened_pr.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml index 2663d605325..6c5979c8b80 100644 --- a/.github/workflows/on_opened_pr.yml +++ b/.github/workflows/on_opened_pr.yml @@ -20,8 +20,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: "Debug workflow_run event" - run: echo "${{ github }}" - name: "Ensure related issue is present" uses: actions/github-script@v6 env: