Skip to content

Commit 1192d21

Browse files
rtuszikrtuszik
committed
ci: improve workflow security and use env vars
1 parent 2c008ec commit 1192d21

File tree

6 files changed

+48
-22
lines changed

6 files changed

+48
-22
lines changed

.github/workflows/build-and-push.yml

Lines changed: 16 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ jobs:
2525
uses: actions/checkout@v6
2626
with:
2727
ref: ${{ github.ref }}
28+
persist-credentials: false
2829

2930
- name: Set up Docker Buildx
3031
uses: docker/setup-buildx-action@v3
@@ -54,26 +55,26 @@ jobs:
5455
fi
5556
echo "Read photon version from .last_release: $PHOTON_VERSION"
5657
else
57-
PHOTON_VERSION="${{ github.event.inputs.photon_version }}"
58+
PHOTON_VERSION="${GITHUB_EVENT_INPUTS_PHOTON_VERSION}"
5859
if [[ -z "$PHOTON_VERSION" ]]; then
5960
echo "Error: PHOTON_VERSION must be provided when .last_release file is missing"
6061
exit 1
6162
fi
6263
fi
6364
6465
if [ "${{ github.event_name }}" == "release" ]; then
65-
CONTAINER_VERSION="${{ github.event.release.tag_name }}"
66+
CONTAINER_VERSION="${GITHUB_EVENT_RELEASE_TAG_NAME}"
6667
CONTAINER_VERSION="${CONTAINER_VERSION#v}"
6768
IS_PRERELEASE="${{ github.event.release.prerelease }}"
68-
elif [ "${{ github.event_name }}" == "push" ] && [ "${{ github.ref }}" == "refs/heads/dev" ]; then
69+
elif [ "${{ github.event_name }}" == "push" ] && [ "${GITHUB_REF}" == "refs/heads/dev" ]; then
6970
SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
7071
CONTAINER_VERSION="dev-${SHORT_SHA}"
7172
IS_PRERELEASE="true"
7273
elif [ "${{ github.event_name }}" == "pull_request" ]; then
7374
CONTAINER_VERSION="pr-${{ github.event.pull_request.number }}"
7475
IS_PRERELEASE="true"
7576
else
76-
CONTAINER_VERSION="${{ github.event.inputs.container_version }}"
77+
CONTAINER_VERSION="${GITHUB_EVENT_INPUTS_CONTAINER_VERSION}"
7778
CONTAINER_VERSION="${CONTAINER_VERSION#v}"
7879
7980
if [[ "$CONTAINER_VERSION" == *"-beta"* ]]; then
@@ -90,20 +91,24 @@ jobs:
9091
echo "Container Version: $CONTAINER_VERSION"
9192
echo "Photon Version: $PHOTON_VERSION"
9293
echo "Is Prerelease: $IS_PRERELEASE"
94+
env:
95+
GITHUB_EVENT_INPUTS_PHOTON_VERSION: ${{ github.event.inputs.photon_version }}
96+
GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
97+
GITHUB_EVENT_INPUTS_CONTAINER_VERSION: ${{ github.event.inputs.container_version }}
9398

9499
- name: Generate Docker tags with semver support
95100
id: generate_tags
96101
run: |
97-
CONTAINER_VERSION="${{ env.CONTAINER_VERSION }}"
98-
IS_PRERELEASE="${{ env.IS_PRERELEASE }}"
102+
CONTAINER_VERSION="${CONTAINER_VERSION}"
103+
IS_PRERELEASE="${IS_PRERELEASE}"
99104
100105
REPO_NAME="${{ github.repository }}"
101106
DOCKERHUB_REPO="${REPO_NAME,,}"
102107
GHCR_REPO="ghcr.io/${REPO_NAME,,}"
103108
104109
TAGS="$DOCKERHUB_REPO:$CONTAINER_VERSION,$GHCR_REPO:$CONTAINER_VERSION"
105110
106-
if [ "${{ github.event_name }}" == "push" ] && [ "${{ github.ref }}" == "refs/heads/dev" ]; then
111+
if [ "${{ github.event_name }}" == "push" ] && [ "${GITHUB_REF}" == "refs/heads/dev" ]; then
107112
TAGS="$TAGS,$DOCKERHUB_REPO:dev,$GHCR_REPO:dev"
108113
elif [ "$IS_PRERELEASE" == "true" ]; then
109114
TAGS="$TAGS,$DOCKERHUB_REPO:beta,$GHCR_REPO:beta"
@@ -143,7 +148,7 @@ jobs:
143148
run: |
144149
echo "## Docker Build Summary" >> $GITHUB_STEP_SUMMARY
145150
echo "- **Event:** ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY
146-
echo "- **Container Version:** ${{ env.CONTAINER_VERSION }}" >> $GITHUB_STEP_SUMMARY
147-
echo "- **Photon Version:** ${{ env.PHOTON_VERSION }}" >> $GITHUB_STEP_SUMMARY
148-
echo "- **Is Prerelease:** ${{ env.IS_PRERELEASE }}" >> $GITHUB_STEP_SUMMARY
149-
echo "- **Tags:** ${{ env.DOCKER_TAGS }}" >> $GITHUB_STEP_SUMMARY
151+
echo "- **Container Version:** ${CONTAINER_VERSION}" >> $GITHUB_STEP_SUMMARY
152+
echo "- **Photon Version:** ${PHOTON_VERSION}" >> $GITHUB_STEP_SUMMARY
153+
echo "- **Is Prerelease:** ${IS_PRERELEASE}" >> $GITHUB_STEP_SUMMARY
154+
echo "- **Tags:** ${DOCKER_TAGS}" >> $GITHUB_STEP_SUMMARY

.github/workflows/check-releases.yml

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,8 @@ jobs:
1515
steps:
1616
- name: Checkout Repository
1717
uses: actions/checkout@v6
18+
with:
19+
persist-credentials: false
1820

1921
- name: Check for new Photon release
2022
id: check_release
@@ -43,26 +45,28 @@ jobs:
4345
- name: Determine if update is needed
4446
id: prepare_update
4547
run: |
46-
if [[ -n "${{ env.latest_release_version }}" && "${{ env.latest_release_version }}" != "${{ env.last_processed_version }}" ]]; then
47-
echo "New version found: ${{ env.latest_release_version }}. (Previous: ${{ env.last_processed_version }})"
48+
if [[ -n "${LATEST_RELEASE_VERSION}" && "${LATEST_RELEASE_VERSION}" != "${LAST_PROCESSED_VERSION}" ]]; then
49+
echo "New version found: ${LATEST_RELEASE_VERSION}. (Previous: ${LAST_PROCESSED_VERSION})"
4850
{
4951
echo "update_needed=true"
50-
echo "new_version=${{ env.latest_release_version }}"
51-
echo "new_branch_name=update-photon-${{ env.latest_release_version }}"
52+
echo "new_version=${LATEST_RELEASE_VERSION}"
53+
echo "new_branch_name=update-photon-${LATEST_RELEASE_VERSION}"
5254
} >> "$GITHUB_OUTPUT"
5355
else
54-
echo "No new Photon release detected or version is already up-to-date. Latest fetched: '${{ env.latest_release_version }}', last processed: '${{ env.last_processed_version }}'."
56+
echo "No new Photon release detected or version is already up-to-date. Latest fetched: '${LATEST_RELEASE_VERSION}', last processed: '${LAST_PROCESSED_VERSION}'."
5557
{
5658
echo "update_needed=false"
57-
echo "new_version=${{ env.last_processed_version }}"
59+
echo "new_version=${LAST_PROCESSED_VERSION}"
5860
} >> "$GITHUB_OUTPUT"
5961
fi
6062
6163
- name: Update release file(s) locally
6264
if: steps.prepare_update.outputs.update_needed == 'true'
6365
run: |
64-
echo "Updating .last_release to ${{ steps.prepare_update.outputs.new_version }}"
65-
echo "${{ steps.prepare_update.outputs.new_version }}" > .last_release
66+
echo "Updating .last_release to ${STEPS_PREPARE_UPDATE_OUTPUTS_NEW_VERSION}"
67+
echo "${STEPS_PREPARE_UPDATE_OUTPUTS_NEW_VERSION}" > .last_release
68+
env:
69+
STEPS_PREPARE_UPDATE_OUTPUTS_NEW_VERSION: ${{ steps.prepare_update.outputs.new_version }}
6670

6771
- name: Create Pull Request
6872
if: steps.prepare_update.outputs.update_needed == 'true'

.github/workflows/full-test.yml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,8 @@ jobs:
1919
steps:
2020
- name: Checkout Repository
2121
uses: actions/checkout@v6
22+
with:
23+
persist-credentials: false
2224

2325
- name: Set up Docker Buildx
2426
uses: docker/setup-buildx-action@v3
@@ -98,5 +100,7 @@ jobs:
98100
run: |
99101
echo "## Container Test Summary" >> $GITHUB_STEP_SUMMARY
100102
echo "- **PR Number:** ${{ github.event.pull_request.number }}" >> $GITHUB_STEP_SUMMARY
101-
echo "- **Photon Version:** ${{ env.PHOTON_VERSION }}" >> $GITHUB_STEP_SUMMARY
102-
echo "- **Status:** ${{ job.status }}" >> $GITHUB_STEP_SUMMARY
103+
echo "- **Photon Version:** ${PHOTON_VERSION}" >> $GITHUB_STEP_SUMMARY
104+
echo "- **Status:** ${JOB_STATUS}" >> $GITHUB_STEP_SUMMARY
105+
env:
106+
JOB_STATUS: ${{ job.status }}

.github/workflows/lint.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ jobs:
1212
runs-on: ubuntu-latest
1313
steps:
1414
- uses: actions/checkout@v6
15+
with:
16+
persist-credentials: false
1517
- name: "Set up Python"
1618
uses: actions/setup-python@v6
1719
with:
@@ -36,6 +38,8 @@ jobs:
3638
needs: setup
3739
steps:
3840
- uses: actions/checkout@v6
41+
with:
42+
persist-credentials: false
3943
- name: "Set up Python"
4044
uses: actions/setup-python@v6
4145
with:
@@ -63,6 +67,8 @@ jobs:
6367
needs: setup
6468
steps:
6569
- uses: actions/checkout@v6
70+
with:
71+
persist-credentials: false
6672
- name: "Set up Python"
6773
uses: actions/setup-python@v6
6874
with:
@@ -87,6 +93,8 @@ jobs:
8793
needs: setup
8894
steps:
8995
- uses: actions/checkout@v6
96+
with:
97+
persist-credentials: false
9098
- name: "Set up Python"
9199
uses: actions/setup-python@v6
92100
with:

.github/workflows/pytest.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@ jobs:
1616
runs-on: ubuntu-latest
1717
steps:
1818
- uses: actions/checkout@v6
19+
with:
20+
persist-credentials: false
1921

2022
- name: Set up Python
2123
uses: actions/setup-python@v6

.github/workflows/release-drafter.yml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@ jobs:
1616
steps:
1717
- name: Checkout Repository
1818
uses: actions/checkout@v6
19+
with:
20+
persist-credentials: false
1921

2022
- name: Run Release Drafter
2123
id: release-drafter
@@ -28,13 +30,14 @@ jobs:
2830
env:
2931
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
3032
DRAFT_BODY: ${{ steps.release-drafter.outputs.body }}
33+
STEPS_RELEASE_DRAFTER_OUTPUTS_ID: ${{ steps.release-drafter.outputs.id }}
3134
run: |
3235
PHOTON_VERSION=$(tr -d '[:space:]' < .last_release)
3336
{
3437
printf '%s' "$DRAFT_BODY"
3538
printf '\n\n---\n **[Photon release notes](https://github.com/komoot/photon/releases/tag/%s) (%s):** \n' \
3639
"$PHOTON_VERSION" "$PHOTON_VERSION"
3740
} > /tmp/new_body.txt
38-
gh api "repos/${{ github.repository }}/releases/${{ steps.release-drafter.outputs.id }}" \
41+
gh api "repos/${{ github.repository }}/releases/${STEPS_RELEASE_DRAFTER_OUTPUTS_ID}" \
3942
--method PATCH \
4043
--field body=@/tmp/new_body.txt

0 commit comments

Comments
 (0)