Skip to content

Commit

Permalink
Merge pull request #4 from cdapio/sec-vuln-fix-develop
Browse files Browse the repository at this point in the history
[Security Vulnerability] Run build with unit tests without elevated permissions
  • Loading branch information
itsankit-google authored Sep 13, 2024
2 parents 8ba7069 + f0fb955 commit b3628b8
Show file tree
Hide file tree
Showing 4 changed files with 332 additions and 439 deletions.
51 changes: 51 additions & 0 deletions .github/workflows/build-report.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# Copyright © 2024 Cask Data, Inc.
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy of
# the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under
# the License.

# This workflow will build a Java project with Maven
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven
# Note: Any changes to this workflow would be used only after merging into develop
name: Build Unit Tests Report

on:
workflow_run:
workflows:
- Build with unit tests
types:
- completed

jobs:
build:
runs-on: ubuntu-latest

if: ${{ github.event.workflow_run.conclusion != 'skipped' }}

steps:
# Pinned 1.0.0 version
- uses: marocchino/action-workflow_run-status@54b6e87d6cb552fc5f36dbe9a722a6048725917a

- name: Download artifact
uses: actions/download-artifact@v4
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
run-id: ${{ github.event.workflow_run.id }}
path: artifacts/

- name: Surefire Report
# Pinned 3.5.2 version
uses: mikepenz/action-junit-report@16a9560bd02f11e7e3bf6b3e2ef6bba6c9d07c32
if: always()
with:
report_paths: '**/target/surefire-reports/TEST-*.xml'
github_token: ${{ secrets.GITHUB_TOKEN }}
detailed_summary: true
commit: ${{ github.event.workflow_run.head_sha }}
check_name: Build Test Report

40 changes: 19 additions & 21 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,21 +15,28 @@
name: Build with unit tests

on:
workflow_run:
workflows:
- Trigger build
types:
- completed
push:
branches: [ develop, release/** ]
pull_request:
branches: [ develop, release/** ]
types: [opened, synchronize, reopened, labeled]

jobs:
build:
runs-on: k8s-runner-build

if: ${{ github.event.workflow_run.conclusion != 'skipped' }}

# We allow builds:
# 1) When it's a merge into a branch
# 2) For PRs that are labeled as build and
# - It's a code change
# - A build label was just added
# A bit complex, but prevents builds when other labels are manipulated
if: >
github.event_name == 'push'
|| (contains(github.event.pull_request.labels.*.name, 'build')
&& (github.event.action != 'labeled' || github.event.label.name == 'build')
)
steps:
# Pinned 1.0.0 version
- uses: haya14busa/action-workflow_run-status@967ed83efa565c257675ed70cfe5231f062ddd94
- uses: actions/checkout@v3
with:
ref: ${{ github.event.workflow_run.head_sha }}
Expand All @@ -44,23 +51,14 @@ jobs:
- name: Build with Maven
run: mvn clean test -fae -T 2 -B -V -DcloudBuild -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=25
- name: Archive build artifacts
uses: actions/upload-artifact@v2.2.2
uses: actions/upload-artifact@v4
if: always()
with:
name: Build debug files
name: reports-${{ github.run_id }}
path: |
**/target/rat.txt
**/target/surefire-reports/*
- name: Surefire Report
# Pinned 3.5.2 version
uses: mikepenz/action-junit-report@16a9560bd02f11e7e3bf6b3e2ef6bba6c9d07c32
if: always()
with:
report_paths: '**/target/surefire-reports/TEST-*.xml'
github_token: ${{ secrets.GITHUB_TOKEN }}
detailed_summary: true
commit: ${{ github.event.workflow_run.head_sha }}
check_name: Test Report
- name: Checkstyle report
uses: tivv/checkstyle-github-action@fcf8ffb7c6a5c110bbc5dafb84aca54caf359b80
if: always()
Expand Down
47 changes: 0 additions & 47 deletions .github/workflows/trigger.yml

This file was deleted.

Loading

0 comments on commit b3628b8

Please sign in to comment.