Skip to content

[Snyk] Fix for 1 vulnerabilities #21

[Snyk] Fix for 1 vulnerabilities

[Snyk] Fix for 1 vulnerabilities #21

## IMPORTANT NOTE TO EDITORS OF THIS FILE ##
## Note that when you create a PR the jobs in this file are triggered off the
## `pull_request_target` event instead of `pull_request` event. This is because
## the `pull_request` event makes secrets only available to PRs from branches,
## not from forks, and some of these jobs require secrets. So with `pull_request_target`
## we're making secrets available to fork-based PRs too. Using `pull_request_target"
## has a side effect, which is that the workflow execution will be driven by the
## state of the <workflow>.yaml on the `main` (=target) branch, even if you edited
## the <workflow>.yaml in your PR. So when you for example add a new job here, you
## won't see that job appear in the PR itself. It will only become effective once
## you merge the PR to main. Therefore, if you want to add a new job here and want
## to test it's functionality prior to a merge to main, you have to to _temporarily_
## change the trigger event from `pull_request_target` to `pull_request`.
## Additionally, because `pull_request_target` gets secrets injected for forked PRs
## we use `https://github.com/sushichop/action-repository-permission` to ensure these
## jobs are only executed when a repo member with "write" permission has triggered
## the workflow (directly through a push or indirectly by applying a label or enabling
## auto_merge).
name: "Build+Test Docker Images"
on: # build on main branch OR when a PR is labeled with `CICD:build-images`
# Allow us to run this specific workflow without a PR
workflow_dispatch:
pull_request_target:
types: [labeled, opened, synchronize, reopened, auto_merge_enabled]
# For PR that modify .github, run from that PR
# This will fail to get secrets if you are not from aptos
pull_request:
types: [labeled, opened, synchronize, reopened, auto_merge_enabled]
paths:
- ".github/workflows/docker-build-test.yaml"
- ".github/workflows/run-forge.yaml"
- ".github/workflows/docker-rust-build.yaml"
- ".github/workflows/sdk-release.yaml"
push:
branches:
- main
- auto
- canary
- chaotic
- devnet
- testnet
- mainnet
# cancel redundant builds
concurrency:
# for push and workflow_dispatch events we use `github.sha` in the concurrency group and don't really cancel each other out/limit concurrency
# for pull_request events newer jobs cancel earlier jobs to save on CI etc.
group: ${{ github.workflow }}-${{ github.event_name }}-${{ (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.sha || github.head_ref || github.ref }}
cancel-in-progress: true
env:
GCP_DOCKER_ARTIFACT_REPO: ${{ secrets.GCP_DOCKER_ARTIFACT_REPO }}
AWS_ECR_ACCOUNT_NUM: ${{ secrets.ENV_ECR_AWS_ACCOUNT_NUM }}
# In case of pull_request events by default github actions merges main into the PR branch and then runs the tests etc
# on the prospective merge result instead of only on the tip of the PR.
# For more info also see https://github.com/actions/checkout#checkout-pull-request-head-commit-instead-of-merge-commit
GIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
# TARGET_CACHE_ID is used as part of the docker tag / cache key inside our bake.hcl docker bake files.
# The goal here is to have a branch or PR-local cache such that consecutive pushes to a shared branch or a specific PR can
# reuse layers from a previous docker build/commit.
# We use `pr-<pr_number>` as cache-id for PRs and simply <branch_name> otherwise.
TARGET_CACHE_ID: ${{ github.event.number && format('pr-{0}', github.event.number) || github.ref_name }}
permissions:
contents: read
id-token: write #required for GCP Workload Identity federation which we use to login into Google Artifact Registry
issues: write
pull-requests: write
# Note on the job-level `if` conditions:
# This workflow is designed such that:
# 1. Run ALL jobs when a 'push', 'workflow_dispatch' triggered the workflow or on 'pull_request's which have set auto_merge=true or have the label "CICD:run-e2e-tests".
# 2. Run ONLY the docker image building jobs on PRs with the "CICD:build-images" label.
# 3. Run NOTHING when neither 1. or 2.'s conditions are satisfied.
jobs:
permission-check:
if: |
github.event_name == 'push' ||
github.event_name == 'workflow_dispatch' ||
contains(github.event.pull_request.labels.*.name, 'CICD:build-images') ||
contains(github.event.pull_request.labels.*.name, 'CICD:run-e2e-tests') ||
github.event.pull_request.auto_merge != null ||
contains(github.event.pull_request.body, '#e2e')
runs-on: ubuntu-latest
steps:
- name: Check repository permission for user which triggered workflow
uses: sushichop/action-repository-permission@13d208f5ae7a6a3fc0e5a7c2502c214983f0241c
with:
required-permission: write
comment-not-permitted: Sorry, you don't have permission to trigger this workflow.
# Because the docker build happens in a reusable workflow, have a separate job that collects the right metadata
# for the subsequent docker builds. Reusable workflows do not currently have the "env" context: https://github.com/orgs/community/discussions/26671
determine-docker-build-metadata:
runs-on: ubuntu-latest
steps:
- name: collect metadata
run: |
echo "GIT_SHA: ${{ env.GIT_SHA }}"
echo "TARGET_CACHE_ID: ${{ env.TARGET_CACHE_ID }}"
outputs:
gitSha: ${{ env.GIT_SHA }}
targetCacheId: ${{ env.TARGET_CACHE_ID }}
rust-images:
needs: [permission-check, determine-docker-build-metadata]
uses: ./.github/workflows/docker-rust-build.yaml
secrets: inherit
with:
GIT_SHA: ${{ needs.determine-docker-build-metadata.outputs.gitSha }}
TARGET_CACHE_ID: ${{ needs.determine-docker-build-metadata.outputs.targetCacheId }}
PROFILE: release
BUILD_ADDL_TESTING_IMAGES: true
rust-images-indexer:
needs: [permission-check, determine-docker-build-metadata]
uses: ./.github/workflows/docker-rust-build.yaml
secrets: inherit
with:
GIT_SHA: ${{ needs.determine-docker-build-metadata.outputs.gitSha }}
TARGET_CACHE_ID: ${{ needs.determine-docker-build-metadata.outputs.targetCacheId }}
PROFILE: release
FEATURES: indexer
BUILD_ADDL_TESTING_IMAGES: true
rust-images-failpoints:
needs: [permission-check, determine-docker-build-metadata]
uses: ./.github/workflows/docker-rust-build.yaml
secrets: inherit
with:
GIT_SHA: ${{ needs.determine-docker-build-metadata.outputs.gitSha }}
TARGET_CACHE_ID: ${{ needs.determine-docker-build-metadata.outputs.targetCacheId }}
PROFILE: release
FEATURES: failpoints
BUILD_ADDL_TESTING_IMAGES: true
rust-images-performance:
needs: [permission-check, determine-docker-build-metadata]
uses: ./.github/workflows/docker-rust-build.yaml
secrets: inherit
with:
GIT_SHA: ${{ needs.determine-docker-build-metadata.outputs.gitSha }}
TARGET_CACHE_ID: ${{ needs.determine-docker-build-metadata.outputs.targetCacheId }}
PROFILE: performance
BUILD_ADDL_TESTING_IMAGES: true
sdk-release:
needs: [rust-images, determine-docker-build-metadata]
if: |
!contains(github.event.pull_request.labels.*.name, 'CICD:skip-sdk-integration-test') && (
github.event_name == 'push' ||
github.event_name == 'workflow_dispatch' ||
contains(github.event.pull_request.labels.*.name, 'CICD:run-e2e-tests') ||
github.event.pull_request.auto_merge != null) ||
contains(github.event.pull_request.body, '#e2e')
uses: ./.github/workflows/sdk-release.yaml
secrets: inherit
with:
GIT_SHA: ${{ needs.determine-docker-build-metadata.outputs.gitSha }}
forge-e2e-test:
needs: [rust-images, rust-images-failpoints, determine-docker-build-metadata]
if: |
!contains(github.event.pull_request.labels.*.name, 'CICD:skip-forge-e2e-test') && (
(github.event_name == 'push' && github.ref_name != 'main') ||
github.event_name == 'workflow_dispatch' ||
contains(github.event.pull_request.labels.*.name, 'CICD:run-e2e-tests') ||
github.event.pull_request.auto_merge != null ||
contains(github.event.pull_request.body, '#e2e')
)
uses: ./.github/workflows/run-forge.yaml
secrets: inherit
with:
GIT_SHA: ${{ needs.determine-docker-build-metadata.outputs.gitSha }}
COMMENT_HEADER: forge-e2e
# Use the cache ID as the Forge namespace so we can limit Forge test concurrency on k8s, since Forge
# test lifecycle is separate from that of GHA. This protects us from the case where many Forge tests are triggered
# by this GHA. If there is a Forge namespace collision, Forge will pre-empt the existing test running in the namespace.
FORGE_NAMESPACE: forge-e2e-${{ needs.determine-docker-build-metadata.outputs.targetCacheId }}
# Run e2e compat test against testnet branch
forge-compat-test:
needs: [rust-images, rust-images-failpoints, determine-docker-build-metadata]
if: |
!contains(github.event.pull_request.labels.*.name, 'CICD:skip-forge-e2e-test') && (
(github.event_name == 'push' && github.ref_name != 'main') ||
github.event_name == 'workflow_dispatch' ||
contains(github.event.pull_request.labels.*.name, 'CICD:run-e2e-tests') ||
github.event.pull_request.auto_merge != null ||
contains(github.event.pull_request.body, '#e2e')
)
uses: ./.github/workflows/run-forge.yaml
secrets: inherit
with:
GIT_SHA: ${{ needs.determine-docker-build-metadata.outputs.gitSha }}
FORGE_TEST_SUITE: compat
IMAGE_TAG: testnet_2d8b1b57553d869190f61df1aaf7f31a8fc19a7b # test against the latest build on testnet branch
FORGE_RUNNER_DURATION_SECS: 300
COMMENT_HEADER: forge-compat
# Use the cache ID as the Forge namespace so we can limit Forge test concurrency on k8s, since Forge
# test lifecycle is separate from that of GHA. This protects us from the case where many Forge tests are triggered
# by this GHA. If there is a Forge namespace collision, Forge will pre-empt the existing test running in the namespace.
FORGE_NAMESPACE: forge-compat-${{ needs.determine-docker-build-metadata.outputs.targetCacheId }}