Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend NRP build workflow to support creating/updating Github releases with artifacts #797

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Extend NRP build workflow to support creating/updating Github releases with artifacts #797

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions .github/workflows/nrp-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,11 @@ name: Build Azure Policy Packages

on:
workflow_dispatch:
inputs:
release:
description: 'Release name'
required: false
type: string

jobs:
package:
Expand All @@ -19,3 +24,47 @@ jobs:
artifact: policy-packages
machine-config: true
release: true

release:
if: ${{ github.event.inputs.release }}
name: Release
needs: package
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- uses: actions/download-artifact@v4
with:
name: policy-packages

- name: Update json template
run: |
set -xe
asb_artifact=AzureLinuxBaseline.zip
asb_hash="$(sha256sum ${asb_artifact} | awk '{print $1}')"
asb_uri="https://github.com/${{ github.repository }}/releases/download/${{ github.event.inputs.release }}/${asb_artifact}"
asb_template=./src/adapters/mc/asb/AzureLinuxBaseline_DeployIfNotExists.json.tmpl
asb_output=./src/adapters/mc/asb/AzureLinuxBaseline_DeployIfNotExists.json

ssh_artifact=LinuxSshServerSecurityBaseline.zip
ssh_hash="$(sha256sum ${ssh_artifact} | awk '{print $1}')"
ssh_uri="https://github.com/${{ github.repository }}/releases/download/${{ github.event.inputs.release }}/${ssh_artifact}"
ssh_template=./src/adapters/mc/ssh/LinuxSshServerSecurityBaseline_DeployIfNotExists.json.tmpl
ssh_output=./src/adapters/mc/ssh/LinuxSshServerSecurityBaseline_DeployIfNotExists.json

sed -e "s|@HASH@|${asb_hash}|g" -e "s|@URI@|${asb_uri}|g" ${asb_template} > ${asb_output}
sed -e "s|@HASH@|${ssh_hash}|g" -e "s|@URI@|${ssh_uri}|g" ${ssh_template} > ${ssh_output}

- name: Create or update release with new artifacts
MariusNi marked this conversation as resolved.
Show resolved Hide resolved
uses: softprops/action-gh-release@v2
Copy link
Contributor

@danielszot danielszot Nov 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@v2 is mutable AFAIK. I would opt for freezing it with a commit hash for security reasons.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, in the past i considered this overkill, it would need to be done for all actions and we'd likely forget to keep them updated.

I'm interested in hearing more perspectives on this.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What I mean is: the attack vectors are supply chain attacks on the one hand and outdated vulnerable dependencies on the other. Dependabot might be able to help.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I love everything being hermetic and having an automated way of creating PR with bumped up dependencies for just a manual reviews.
It minimizes flakiness and maintains source code governance so positively impacts security.

I'm not going to insist here ofc. We don't have such automations here yet.

Copy link
Member

@robertschaedler3 robertschaedler3 Nov 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the past we have used gh release create to automate the release creation on GitHub as part of a script after the "official" GitHub release action is no longer maintained (and to avoid using 3rd party actions for publishing releases which could result in supply chain as you mentioned).

https://cli.github.com/manual/gh_release_create

For prerelease this seems fine to me though, we can revisit it later for official releases as needed.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 on using gh cli, i prefer that over 3p actions (albeit being mentioned on the official https://github.com/actions/create-release action) but wont block on it

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll give it a try (hopefully next week).

with:
tag_name: ${{ github.event.inputs.release }}
target_commitish: ${{ github.sha }}
prerelease: true
body: |
Azure Policy Packages built from ${{ github.sha }} ${{ github.ref_name }}
files: |
AzureLinuxBaseline.zip
LinuxSshServerSecurityBaseline.zip
./src/adapters/mc/asb/AzureLinuxBaseline_DeployIfNotExists.json
./src/adapters/mc/ssh/LinuxSshServerSecurityBaseline_DeployIfNotExists.json
Loading