Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat: Harden GHA workflows #335

Merged
merged 60 commits into from
Sep 18, 2023
Merged

Feat: Harden GHA workflows #335

merged 60 commits into from
Sep 18, 2023

Conversation

TylerHendrickson
Copy link
Member

@TylerHendrickson TylerHendrickson commented Sep 14, 2023

Description

This PR refactors much of the existing GitHub Actions workflows and Terraform Lambda configurations to provide the following enhancements:

  • Allow using prebuilt (i.e. from an earlier step) Lambda handler binaries instead. Previously Terraform would always ask for a new Lambda to be built, relying on Taskfile to skip preexisting Lambdas. Now, the behavior of whether Terraform requires an existing build is configurable – allowing us to expect that handler binaries already exist in CI environments (in dev environments, the previous "autobuild" behavior still works).
  • Standardize the build+plan+deploy process with reusable workflows that are executed in both CI (pull request review) and CD (i.e. deploy to Staging when main is pushed & deploy to Production when a release is tagged) contexts. These changes removes quite a bit of duplicated code and allows for repeatability.
  • Scope each reusable workflow and its jobs to only necessary permissions required for successful execution. In particular, this reduces attack surface of the repository by disallowing untrusted code (that is, unreviewed code from an external contributor submitted via a forked PR) to execute in a privileged environment. Combined with repository configurations, this enforces the following security posture:
    • PRs from active maintainers (members of the developer team, including active volunteers and USDR staff members) will always run CI steps without requiring admin approval.
    • PRs from outside contributors require approval for workflows to run.
    • Forked PRs can run all CI steps after any/all initial approvals (see above) have been granted for the PR. Previously, terraform plan PRs would always fail for forked PRs.
    • PR-triggered workflows that check out code only run with read-only permissions.
    • Workflow egress is limited to explicitly-allowed domains.
    • Workflows are additionally monitored with the step-security/harden-runner action.
  • Executable deployment artifacts (e.g. Lambda handlers) are packed using upx, making them much smaller (153M vs 340M for all Lambda handlers), which primarily speeds up uploads.
  • Artifact retention periods are now as-follows (note: this only affects artifacts stored in GitHub; AWS may retain artifacts according to separately-maintained rules):
    • Artifacts created for PRs during CI jobs are retained for 14 days.
    • Artifacts created for Staging deployments are retained for 30 days.
    • Artifacts created for Production deployments are retained for 90 days (GitHub maximum).

Testing

As with most GitHub Actions changes, testing is complicated. It's probably sufficient to review the most recent workflow executions from this branch.

Checklist

  • Provided ticket and description
  • Provided testing information
  • Provided adequate test coverage for all new code
  • Added PR reviewers

@TylerHendrickson TylerHendrickson changed the title Feat/harden gha workflows Feat: Harden GHA workflows Sep 18, 2023
@TylerHendrickson TylerHendrickson self-assigned this Sep 18, 2023
@TylerHendrickson
Copy link
Member Author

Note to reviewer(s): Certain workflows listed as "Required Checks" for this PR will show as pending because of the refactored workflows – new workflows don't yet exist on main, but extant workflows marked as "required" in GitHub repo settings no longer exist on this branch. Once the PR is merged (and the relevant workflows exist on main), repo settings will be updated to reflect the correct requirements.

@TylerHendrickson TylerHendrickson marked this pull request as ready for review September 18, 2023 20:24
@TylerHendrickson TylerHendrickson requested a review from a team as a code owner September 18, 2023 20:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request github Repository automation and configuration terraform Pull requests that update Terraform code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants