From 069eefa449d97e95d920917453485eeed1f0d4e7 Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 7 Jun 2024 09:15:02 -0500 Subject: [PATCH 01/13] gha: update to actions/checkout@v4 to resolve warning: > Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: actions/checkout@v3. (cherry picked from commit d79b2f0b4690047aaaf8af5d50d05fac2db16a08) Conflicts: .github/workflows/lint-cpp.yml .github/workflows/lint-includes.yml .github/workflows/lint-python.yml .github/workflows/lint-sh.yml resolved conflict by deleting these files because they do not exist in v23.2.x branch --- .github/workflows/backport-command.yml | 6 +++--- .github/workflows/backport-on-merge.yml | 2 +- .github/workflows/buildkite-slash-commands.yml | 2 +- .github/workflows/cloud-installpack-bk-trigger.yml | 2 +- .github/workflows/rp-storage-tool-checks.yml | 4 ++-- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/backport-command.yml b/.github/workflows/backport-command.yml index aac81e7279ec..77d7e891ed20 100644 --- a/.github/workflows/backport-command.yml +++ b/.github/workflows/backport-command.yml @@ -25,7 +25,7 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Get type of backport (issue or PR) env: @@ -62,7 +62,7 @@ jobs: BACKPORT_BRANCH: ${{ needs.backport-type.outputs.backport_branch }} steps: - name: checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Get user env: @@ -117,7 +117,7 @@ jobs: backport_commits=$(gh api "repos/$TARGET_FULL_REPO/pulls/$BACKPORT_PR_NUMBER/commits" --jq .[].sha | paste -s -d ' ' -) echo ::set-output name=backport_commits::$backport_commits - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 if: needs.backport-type.outputs.commented_on == 'pr' with: repository: ${{ steps.user.outputs.username }}/${{ steps.user.outputs.repo }} diff --git a/.github/workflows/backport-on-merge.yml b/.github/workflows/backport-on-merge.yml index 05ead7ab61bb..72f7394097f6 100644 --- a/.github/workflows/backport-on-merge.yml +++ b/.github/workflows/backport-on-merge.yml @@ -17,7 +17,7 @@ jobs: steps: - name: checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Find the PR associated with this push, if there is one. - uses: jwalton/gh-find-current-pr@v1 diff --git a/.github/workflows/buildkite-slash-commands.yml b/.github/workflows/buildkite-slash-commands.yml index 223f06f3128f..477a71b9d720 100644 --- a/.github/workflows/buildkite-slash-commands.yml +++ b/.github/workflows/buildkite-slash-commands.yml @@ -10,7 +10,7 @@ jobs: run-build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: repository: redpanda-data/sparse-checkout token: ${{ secrets.ACTIONS_BOT_TOKEN }} diff --git a/.github/workflows/cloud-installpack-bk-trigger.yml b/.github/workflows/cloud-installpack-bk-trigger.yml index 8881338dbdab..62f5fad67a60 100644 --- a/.github/workflows/cloud-installpack-bk-trigger.yml +++ b/.github/workflows/cloud-installpack-bk-trigger.yml @@ -8,7 +8,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: repository: redpanda-data/sparse-checkout token: ${{ secrets.ACTIONS_BOT_TOKEN }} diff --git a/.github/workflows/rp-storage-tool-checks.yml b/.github/workflows/rp-storage-tool-checks.yml index 87e9a4c0b67f..c96dd5f6a162 100644 --- a/.github/workflows/rp-storage-tool-checks.yml +++ b/.github/workflows/rp-storage-tool-checks.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout sources - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Install stable toolchain uses: actions-rs/toolchain@v1 with: @@ -48,7 +48,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout sources - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Install stable toolchain uses: actions-rs/toolchain@v1 From 1fd66782e143d5ed91c90f291d13ddb646733390 Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 7 Jun 2024 09:19:49 -0500 Subject: [PATCH 02/13] gha: update backport-command to use aws sm (cherry picked from commit 0be664da8ba3e5ebcee5c7e054cf2511d36ea282) --- .github/workflows/backport-command.yml | 42 +++++++++++++++++--------- 1 file changed, 28 insertions(+), 14 deletions(-) diff --git a/.github/workflows/backport-command.yml b/.github/workflows/backport-command.yml index 77d7e891ed20..e02c7456a80b 100644 --- a/.github/workflows/backport-command.yml +++ b/.github/workflows/backport-command.yml @@ -27,9 +27,23 @@ jobs: - name: checkout uses: actions/checkout@v4 + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }} + aws-region: us-west-2 + + - name: get secrets from aws sm + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + ,sdlc/prod/github/actions_bot_token + parse-json-secrets: true + - name: Get type of backport (issue or PR) env: - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} CLIENT_PAYLOAD: ${{ toJson(github.event.client_payload) }} id: get_backport_type run: $SCRIPT_DIR/get_backport_type.sh @@ -39,7 +53,7 @@ jobs: uses: peter-evans/create-or-update-comment@v1 if: failure() with: - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} repository: ${{ github.event.client_payload.github.payload.repository.full_name }} comment-id: ${{ github.event.client_payload.github.payload.comment.id }} reaction-type: "-1" @@ -48,7 +62,7 @@ jobs: if: failure() env: COMMENTED_ON: ${{ steps.get_backport_type.outputs.commented_on }} - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} run: $SCRIPT_DIR/post_error.sh shell: bash @@ -66,7 +80,7 @@ jobs: - name: Get user env: - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} id: user run: | username=$(gh api user --jq .login) @@ -82,7 +96,7 @@ jobs: - name: Discover and create milestone env: - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} TARGET_MILESTONE: ${{ needs.backport-type.outputs.target_milestone }} id: create_milestone run: $SCRIPT_DIR/create_milestone.sh @@ -91,7 +105,7 @@ jobs: - name: Create issue if: needs.backport-type.outputs.commented_on == 'issue' env: - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} TARGET_MILESTONE: ${{ steps.create_milestone.outputs.milestone }} ORIG_TITLE: ${{ github.event.client_payload.github.payload.issue.title }} ORIG_LABELS: ${{ toJson(github.event.client_payload.github.payload.issue.labels) }} @@ -111,7 +125,7 @@ jobs: if: needs.backport-type.outputs.commented_on == 'pr' env: BACKPORT_PR_NUMBER: ${{ github.event.client_payload.pull_request.number }} - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} id: backport_commits run: | backport_commits=$(gh api "repos/$TARGET_FULL_REPO/pulls/$BACKPORT_PR_NUMBER/commits" --jq .[].sha | paste -s -d ' ' -) @@ -121,13 +135,13 @@ jobs: if: needs.backport-type.outputs.commented_on == 'pr' with: repository: ${{ steps.user.outputs.username }}/${{ steps.user.outputs.repo }} - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} path: ./fork - name: Backport commits and get details if: needs.backport-type.outputs.commented_on == 'pr' env: - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} ORIG_TITLE: ${{ github.event.client_payload.github.payload.issue.title }} BACKPORT_COMMITS: ${{ steps.backport_commits.outputs.backport_commits }} IS_MERGED: ${{ github.event.client_payload.pull_request.merged }} @@ -142,7 +156,7 @@ jobs: - name: Create pull request if: needs.backport-type.outputs.commented_on == 'pr' env: - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} TARGET_MILESTONE: ${{ steps.create_milestone.outputs.milestone }} ORIG_TITLE: ${{ github.event.client_payload.github.payload.issue.title }} ORIG_REVIEWERS: ${{ steps.reviewers.outputs.reviewers }} @@ -158,7 +172,7 @@ jobs: - name: Add reaction uses: peter-evans/create-or-update-comment@v1 with: - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} repository: ${{ github.event.client_payload.github.payload.repository.full_name }} comment-id: ${{ github.event.client_payload.github.payload.comment.id }} reaction-type: hooray @@ -167,7 +181,7 @@ jobs: uses: peter-evans/create-or-update-comment@v1 if: failure() with: - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} repository: ${{ github.event.client_payload.github.payload.repository.full_name }} comment-id: ${{ github.event.client_payload.github.payload.comment.id }} reaction-type: "-1" @@ -176,14 +190,14 @@ jobs: if: failure() env: COMMENTED_ON: ${{ needs.backport-type.outputs.commented_on }} - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} run: $SCRIPT_DIR/post_error.sh shell: bash - name: Create Issue On Error if: failure() env: - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} TARGET_MILESTONE: ${{ steps.create_milestone.outputs.milestone }} ORIG_TITLE: ${{ github.event.client_payload.github.payload.issue.title }} ORIG_LABELS: ${{ toJson(github.event.client_payload.github.payload.issue.labels) }} From 81be12cc5e43d89f1f0a5e025d48703d34174e8e Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 7 Jun 2024 09:30:58 -0500 Subject: [PATCH 03/13] gha: remove old-backports.yml Looks like this worklfow is not needed because it has been disabled for over 1 year: https://github.com/redpanda-data/redpanda/actions/workflows/old-backports.yml (cherry picked from commit 4573b5879bfdb1c6fd64d770389cb06288a67668) --- .github/workflows/old-backports.yml | 25 ------------------------- 1 file changed, 25 deletions(-) delete mode 100644 .github/workflows/old-backports.yml diff --git a/.github/workflows/old-backports.yml b/.github/workflows/old-backports.yml deleted file mode 100644 index f1929f208f29..000000000000 --- a/.github/workflows/old-backports.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: old-backports -on: - schedule: - - cron: '*/10 * * * *' -jobs: - alert-on-abandoned-backports: - outputs: - OUTPUT: ${{ steps.get-output.outputs.OUTPUT }} - runs-on: ubuntu-latest - - steps: - - name: Get output - id: get-output - run: | - echo OUTPUT=$(gh search issues --label "kind/backport" --state open --repo "redpanda-data/redpanda" --updated "<`date --date="15 days ago" +"%Y"-"%m"-"%d"`" --sort updated --order asc --limit 15 --json "assignees,updatedAt,url" --jq '.[] | "@" + (.assignees[] | {login} | .login), .url, .updatedAt,"----"') >>"$GITHUB_OUTPUT" - shell: bash - - - name: "Post to a test channel (temporary)" - id: send-slack-message - uses: slackapi/slack-github-action@v1.24.0 - with: - channel-id: "C05DHDW4VCL" - slack-message: "Test: ${{ steps.get-output.outputs.OUTPUT }}" - env: - SLACK_BOT_TOKEN: ${{ secrets.VBOTBUILDOVICH_SLACK_BOT_TOKEN }} From 2495fced96e884dcf0dcc6586d9971b2f48241ac Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 7 Jun 2024 09:35:21 -0500 Subject: [PATCH 04/13] gha: remove unused packages-created.yml It does not look like this worklfow is used because no history of it running: https://github.com/redpanda-data/redpanda/actions/workflows/packages-created.yml (cherry picked from commit d548a72b942780c520148729f6c4029f7c42a2bb) --- .github/workflows/packages-created.yml | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 .github/workflows/packages-created.yml diff --git a/.github/workflows/packages-created.yml b/.github/workflows/packages-created.yml deleted file mode 100644 index 7d933822722b..000000000000 --- a/.github/workflows/packages-created.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: package_creation_handler -on: - repository_dispatch: - types: [packages-created] - -jobs: - package_creation_handler: - runs-on: ubuntu-20.04 - - steps: - - name: Notify PR - uses: peter-evans/create-or-update-comment@v1 - with: - token: ${{ secrets.VTOOLS_GITHUB_API_TOKEN }} - issue-number: ${{ github.event.client_payload.pr_number }} - body: | - Packages created for ${{ github.event.client_payload.ref }} - Tests requiring them can now be run. Try: - `/chaos-test` or `/ducktape` - if: ${{ github.event.client_payload.pr_number }} From 5b73e0e21d155568f56493e45e4185a0299029c0 Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 7 Jun 2024 09:37:32 -0500 Subject: [PATCH 05/13] gha: remove unused render-draft-release-notes.yml No history of workflow runs since disabled: https://github.com/redpanda-data/redpanda/actions/workflows/render-draft-release-notes.yml (cherry picked from commit 316d46e71c021c42ee3d95d07a185c8b604d78fe) --- .../workflows/render-draft-release-notes.yml | 48 ------------------- 1 file changed, 48 deletions(-) delete mode 100644 .github/workflows/render-draft-release-notes.yml diff --git a/.github/workflows/render-draft-release-notes.yml b/.github/workflows/render-draft-release-notes.yml deleted file mode 100644 index 4d7ea20148b1..000000000000 --- a/.github/workflows/render-draft-release-notes.yml +++ /dev/null @@ -1,48 +0,0 @@ -name: Render Draft Release Notes -on: - push: - branches: [ dev, 'v[0-9]+.[0-9]+.x' ] -jobs: - render: - runs-on: ubuntu-latest - steps: - - name: Curl rpchangelog - run: | - mkdir -v -p rpchangelog - curl -s -S -f -L -o rpchangelog/requirements.txt https://vectorized-public.s3.us-west-2.amazonaws.com/rpchangelog/requirements.txt - curl -s -S -f -L -o rpchangelog/rpchangelog.py https://vectorized-public.s3.us-west-2.amazonaws.com/rpchangelog/rpchangelog.py - chmod +x rpchangelog/rpchangelog.py - - uses: actions/setup-python@v4 - with: - python-version: '3.10' - cache: 'pip' - - run: pip3 install -r ./rpchangelog/requirements.txt - - name: Render draft release notes to job summary - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - if [[ $GITHUB_REF_NAME == 'dev' ]]; then - PREVIOUS_TAG_NAME=$(gh -R "$GITHUB_REPOSITORY_OWNER/redpanda" release list --exclude-drafts -L 1 | tail -1 | cut -f1) - YEAR_VER=$(echo "$PREVIOUS_TAG_NAME" | cut -d. -f1) - FEATURE_VER=$(echo "$PREVIOUS_TAG_NAME" | cut -d. -f2) - TAG_NAME="$YEAR_VER.$((FEATURE_VER+1)).1" - else - # e.g. GITHUB_REF_NAME=v22.3.x - SEARCH_PATTERN=${GITHUB_REF_NAME::-1} - PREVIOUS_TAG_NAME=$(gh -R "$GITHUB_REPOSITORY_OWNER/redpanda" release list --exclude-drafts | grep "$SEARCH_PATTERN" | head -1 | cut -f1) - YEAR_VER=$(echo "$PREVIOUS_TAG_NAME" | cut -d. -f1) - FEATURE_VER=$(echo "$PREVIOUS_TAG_NAME" | cut -d. -f2) - PATCH_VER=$(echo "$PREVIOUS_TAG_NAME" | cut -d. -f3) - TAG_NAME="$YEAR_VER.$FEATURE_VER.$((PATCH_VER+1))" - fi - ./rpchangelog/rpchangelog.py --log-level=DEBUG --github-owner="$GITHUB_REPOSITORY_OWNER" rel "$TAG_NAME" "$GITHUB_REF_NAME" "$PREVIOUS_TAG_NAME" >> "$GITHUB_STEP_SUMMARY" - LINK_TO_SUMMARY="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" - FINAL_MSG="View rendered draft release notes in the job summary: $LINK_TO_SUMMARY" - if grep -q '## Unclear' "$GITHUB_STEP_SUMMARY"; then - echo '❌ Release Notes Unclear' - echo $FINAL_MSG - exit 1 - else - echo '✔ Release Notes Clear' - echo $FINAL_MSG - fi From 2e065a9407513502081d014dd5b3557d4e1691ba Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 7 Jun 2024 09:38:57 -0500 Subject: [PATCH 06/13] gha: remove unused slack-messages.yml Disabled worklfow has no history of workflow run: https://github.com/redpanda-data/redpanda/actions/workflows/slack-messages.yml (cherry picked from commit 1755ddaad80de66dea463b1435177b395b2b80b0) --- .github/workflows/slack-messages.yml | 41 ---------------------------- 1 file changed, 41 deletions(-) delete mode 100644 .github/workflows/slack-messages.yml diff --git a/.github/workflows/slack-messages.yml b/.github/workflows/slack-messages.yml deleted file mode 100644 index 3a4ed5c20df6..000000000000 --- a/.github/workflows/slack-messages.yml +++ /dev/null @@ -1,41 +0,0 @@ -name: Release Slack Message -on: - release: - types: [published] - -env: - MESSAGE: "Redpanda release ${{ github.event.release.tag_name }} has been published: ${{ github.event.release.html_url }}" - -jobs: - post-slack-message: - name: Post Slack Message - runs-on: ubuntu-latest - steps: - - - name: "Post to internal #releases channel" - id: internal_releases - uses: slackapi/slack-github-action@v1.18.0 - with: - channel-id: ${{ secrets.INTERNAL_RELEASES_SLACK_CHANNEL }} - slack-message: ${{ env.MESSAGE }} - env: - SLACK_BOT_TOKEN: ${{ secrets.VBOTBUILDOVICH_SLACK_BOT_TOKEN }} - - - name: "Post to internal #general channel" - id: internal_general - uses: slackapi/slack-github-action@v1.18.0 - with: - channel-id: ${{ secrets.INTERNAL_GENERAL_SLACK_CHANNEL }} - slack-message: ${{ env.MESSAGE }} - env: - SLACK_BOT_TOKEN: ${{ secrets.VBOTBUILDOVICH_SLACK_BOT_TOKEN }} - - - name: "Post to community #releases channel" - id: community_releases - uses: slackapi/slack-github-action@v1.18.0 - with: - channel-id: C034RDJLC31 - slack-message: ${{ env.MESSAGE }} - env: - SLACK_BOT_TOKEN: ${{ secrets.BUILDERBOT_COMMUNITY_SLACK_BOT_TOKEN }} - From ab6ce789640ea6e07fcaa2f7399608c54ea90155 Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 7 Jun 2024 09:48:27 -0500 Subject: [PATCH 07/13] gha: update backport-on-merge to use aws sm (cherry picked from commit 71facd46774b70acb5018c5f31b5c173b891af77) --- .github/workflows/backport-on-merge.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/.github/workflows/backport-on-merge.yml b/.github/workflows/backport-on-merge.yml index 72f7394097f6..c00d35963ce4 100644 --- a/.github/workflows/backport-on-merge.yml +++ b/.github/workflows/backport-on-merge.yml @@ -29,10 +29,21 @@ jobs: if: success() && steps.findPr.outputs.number env: PR: ${{ steps.findPr.outputs.pr }} - + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }} + aws-region: us-west-2 + - name: get secrets from aws sm + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + ,sdlc/prod/github/actions_bot_token + parse-json-secrets: true - name: Backport On Merge env: - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} id: extract_required_backports_from_pr_body run: $SCRIPT_DIR/backport_on_merge.sh shell: bash From 2da249c88b3ea7f3ddff932e0ce039d98377a3db Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 7 Jun 2024 09:50:11 -0500 Subject: [PATCH 08/13] gha: update buildkite-slash-commands to use aws sm (cherry picked from commit f58855424f2fb64818cba2b4f5397bde2fff7064) --- .../workflows/buildkite-slash-commands.yml | 25 +++++++++++++++---- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/.github/workflows/buildkite-slash-commands.yml b/.github/workflows/buildkite-slash-commands.yml index 477a71b9d720..45abe7e52dff 100644 --- a/.github/workflows/buildkite-slash-commands.yml +++ b/.github/workflows/buildkite-slash-commands.yml @@ -10,23 +10,38 @@ jobs: run-build: runs-on: ubuntu-latest steps: + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }} + aws-region: us-west-2 + + - name: get secrets from aws sm + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + ,sdlc/prod/github/actions_bot_token + ,sdlc/prod/github/buildkite_token + parse-json-secrets: true + - uses: actions/checkout@v4 with: repository: redpanda-data/sparse-checkout - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} path: sparse-checkout - uses: ./sparse-checkout with: repository: redpanda-data/vtools - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} patterns: actions path: ghca - name: Buildkite slash command action uses: ./ghca/actions/buildkite-slash-commands with: - buildkite_token: ${{ secrets.BUILDKITE_TOKEN }} + buildkite_token: ${{ env.BUILDKITE_TOKEN }} buildkite_org: redpanda buildkite_pipeline: redpanda command: ${{ github.event.client_payload.slash_command.command }} @@ -34,7 +49,7 @@ jobs: - name: Success reaction uses: peter-evans/create-or-update-comment@v2 with: - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} repository: ${{ github.event.client_payload.github.payload.repository.full_name }} comment-id: ${{ github.event.client_payload.github.payload.comment.id }} reaction-type: hooray @@ -43,5 +58,5 @@ jobs: if: failure() uses: ./ghca/actions/slash-command-error with: - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} body: ${{ env.ERROR_MSG }} From 5329e13cd6b76212bc8bc80e61837ada04ea6a06 Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 7 Jun 2024 09:51:27 -0500 Subject: [PATCH 09/13] gha: update cloud-installpack-bk-trigger to use aws sm (cherry picked from commit f420b5fa11d1f3b8fc08a243fe189fa23a48b0b2) --- .../cloud-installpack-bk-trigger.yml | 21 ++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cloud-installpack-bk-trigger.yml b/.github/workflows/cloud-installpack-bk-trigger.yml index 62f5fad67a60..a81b60a78b51 100644 --- a/.github/workflows/cloud-installpack-bk-trigger.yml +++ b/.github/workflows/cloud-installpack-bk-trigger.yml @@ -8,23 +8,38 @@ jobs: runs-on: ubuntu-latest steps: + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }} + aws-region: us-west-2 + + - name: get secrets from aws sm + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + ,sdlc/prod/github/actions_bot_token + ,sdlc/prod/github/buildkite_token + parse-json-secrets: true + - uses: actions/checkout@v4 with: repository: redpanda-data/sparse-checkout - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} path: sparse-checkout - uses: ./sparse-checkout with: repository: redpanda-data/vtools - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} patterns: actions path: ghca - name: Trigger Versions Bump Buildkite Job uses: ./ghca/actions/buildkite-pipeline-trigger with: - buildkite_token: ${{ secrets.BUILDKITE_TOKEN }} + buildkite_token: ${{ env.BUILDKITE_TOKEN }} buildkite_org: redpanda buildkite_pipeline: ${{ vars.CLOUD_PIPELINE }} commit: HEAD From dc8b53a6fdcc5c99a4baf520b202fa5e22eadc1a Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 7 Jun 2024 09:57:25 -0500 Subject: [PATCH 10/13] gha: update promote to use aws sm (cherry picked from commit 7fdafd8dc3d2d77b59bedde738edebdda28ebd93) --- .github/workflows/promote.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/promote.yml b/.github/workflows/promote.yml index 44e909adcd13..bdb2e2b2c909 100644 --- a/.github/workflows/promote.yml +++ b/.github/workflows/promote.yml @@ -7,10 +7,22 @@ jobs: trigger-promote: runs-on: ubuntu-latest steps: + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }} + aws-region: us-west-2 + - name: get secrets from aws sm + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + ,sdlc/prod/github/buildkite_token + parse-json-secrets: true - name: trigger redpanda promote pipeline uses: "buildkite/trigger-pipeline-action@v2.0.0" with: - buildkite_api_access_token: ${{ secrets.BUILDKITE_TOKEN }} + buildkite_api_access_token: ${{ env.BUILDKITE_TOKEN }} pipeline: "redpanda/redpanda" branch: dev message: ":github: Promote redpanda packages" From 4d06eed87503252816180a6a1323a5916c3e258d Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 7 Jun 2024 09:58:16 -0500 Subject: [PATCH 11/13] gha: update slash-commands to use aws sm (cherry picked from commit 6a3a892c01d09e36da069cf0d9484fe22ca02292) --- .github/workflows/slash-commands.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/slash-commands.yml b/.github/workflows/slash-commands.yml index cb34e2d12a19..72019ce02ac3 100644 --- a/.github/workflows/slash-commands.yml +++ b/.github/workflows/slash-commands.yml @@ -6,10 +6,22 @@ jobs: slashCommandDispatch: runs-on: ubuntu-latest steps: + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }} + aws-region: us-west-2 + - name: get secrets from aws sm + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + ,sdlc/prod/github/actions_bot_token + parse-json-secrets: true - name: Slash Command Dispatch uses: peter-evans/slash-command-dispatch@v2 with: - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} permission: read issue-type: both commands: | From 7055b14476d60e8e9f8916d80b16f7ceaba9b4fa Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 7 Jun 2024 10:11:07 -0500 Subject: [PATCH 12/13] gha: update to actions/labeler@v5 To address warning message: > Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: actions/labeler@v4. (cherry picked from commit d7f2c138eece185264557d156da7182610330060) --- .github/workflows/pr-labeler.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml index 00c36f0af66f..1b8741fa0816 100644 --- a/.github/workflows/pr-labeler.yml +++ b/.github/workflows/pr-labeler.yml @@ -11,6 +11,6 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/labeler@v4 + - uses: actions/labeler@v5 with: repo-token: ${{ secrets.GITHUB_TOKEN }} From 5b49d509b49700eb547342c2db8189dd6e07c721 Mon Sep 17 00:00:00 2001 From: Chase Higgins Date: Thu, 14 Dec 2023 10:42:20 +0000 Subject: [PATCH 13/13] removes kics (cherry picked from commit f0533f8683dbf2827f0ce1b5a8d4c9c567900f6a) --- .github/workflows/kics-iac.yml | 30 ------------------------------ 1 file changed, 30 deletions(-) delete mode 100644 .github/workflows/kics-iac.yml diff --git a/.github/workflows/kics-iac.yml b/.github/workflows/kics-iac.yml deleted file mode 100644 index 55eaabd200c1..000000000000 --- a/.github/workflows/kics-iac.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: kics scanning -on: - push: - branches: dev -jobs: - kics: - runs-on: ubuntu-latest - env: - AWS_ACCESS_KEY_ID: ${{ secrets.VULN_REPORTS_AWS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.VULN_REPORTS_AWS_SECRET_ACCESS_KEY }} - VULN_REPORTS_AWS_BUCKET: ${{ secrets.VULN_REPORTS_AWS_BUCKET }} - AWS_EC2_METADATA_DISABLED: true - steps: - - uses: actions/checkout@v2 - - name: run kics Scan - uses: checkmarx/kics-github-action@v1.6.3 - with: - path: . - ignore_on_exit: results - output_path: res/ - exclude_paths: tests/,src/go/k8s/tests/,src/go/rpk/pkg/testfs/,src/go/k8s/config/ - - name: display kics results - run: | - cat res/results.json - - name: upload scan results - run: | - set -eu - KEY="`date +%Y`/`date +%m`/`date +%d`/${GITHUB_REPOSITORY#*/}_${GITHUB_REF#refs/heads/}_kics_`date +%s`.json" - echo "[i] writing to s3 object '$KEY'" - aws s3 cp res/results.json s3://$VULN_REPORTS_AWS_BUCKET/$KEY