Skip to content

[release-1.0] Github action fixes #729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mandre merged 9 commits into from
Mar 31, 2026
Merged

[release-1.0] Github action fixes #729

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
41156f8
ci: pin all GitHub Actions to commit SHAs
mandre Mar 31, 2026
898380a
ci: set persist-credentials: false on all checkout actions
mandre Mar 31, 2026
de95d58
ci: scope down workflow permissions to least privilege
mandre Mar 31, 2026
386f8ef
ci: fix template injection in label-pr workflow
mandre Mar 31, 2026
db69dbc
ci: split semver analysis from label-pr to fix pull_request_target se…
mandre Mar 31, 2026
657196a
ci: replace pull_request_target with pull_request in check-pr-labels
mandre Mar 31, 2026
8e95482
ci: add zizmor ignore comments for legitimate findings
mandre Mar 31, 2026
2583cbc
ci: update e2e workflow
mandre Mar 31, 2026
7dc6dc2
ci: disable Go module caching to prevent cache poisoning
mandre Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .github/workflows/check-pr-labels.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,15 @@
name: Ready
on:
pull_request_target:
pull_request:
types:
- labeled
- opened
- reopened
- synchronize
- unlabeled

permissions: {}

jobs:
hold:
if: github.event.pull_request.merged == false
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/container_image.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,12 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
with:
persist-credentials: false

- run: |
docker login -u="${{ secrets.QUAY_USERNAME }}" -p="${{ secrets.QUAY_TOKEN }}" quay.io
docker login -u="${{ secrets.QUAY_USERNAME }}" -p="${{ secrets.QUAY_TOKEN }}" quay.io # zizmor: ignore[secrets-outside-env]

docker build -t ${{ env.image_tag_branch }} .
docker push ${{ env.image_tag_branch }}
Expand Down
12 changes: 7 additions & 5 deletions .github/workflows/e2e.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,17 +28,19 @@ jobs:
runs-on: ubuntu-${{ matrix.ubuntu_version }}

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
with:
persist-credentials: false

- name: Deploy devstack
uses: EmilienM/devstack-action@60ca1042045c0c9e3e001c64575d381654ffcba1
uses: gophercloud/devstack-action@60ca1042045c0c9e3e001c64575d381654ffcba1 # tag=v0.19
with:
enable_workaround_docker_io: 'false'
branch: ${{ matrix.openstack_version }}
enabled_services: "openstack-cli-server"

- name: Deploy a Kind Cluster
uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc
uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # tag=v1.14.0
with:
cluster_name: orc

Expand All @@ -50,7 +52,7 @@ jobs:
- name: Deploy orc
run: |
kubectl config use-context kind-orc
make deploy IMG=${{ env.image_tag }}
make deploy IMG=${{ env.image_tag }} LOGLEVEL=5

- name: Run e2e tests
run: make test-e2e
Expand All @@ -63,7 +65,7 @@ jobs:

- name: Upload logs artifacts on failure
if: failure()
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # tag=v7
with:
name: e2e-${{ matrix.name }}-${{ github.run_id }}
path: /tmp/artifacts/*
4 changes: 3 additions & 1 deletion .github/workflows/generate.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,9 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
with:
persist-credentials: false

- run: |
make generate
Expand Down
7 changes: 5 additions & 2 deletions .github/workflows/go-lint.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,16 +12,19 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
with:
persist-credentials: false

- name: Calculate go version
id: vars
run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT

- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # tag=v6.3.0
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # tag=v6.4.0
with:
go-version: ${{ steps.vars.outputs.go_version }}
cache: false

- run: |
make lint
100 changes: 46 additions & 54 deletions .github/workflows/label-pr.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,92 +1,84 @@
name: Label PR
on:
# zizmor: ignore[dangerous-triggers] edits job only runs actions/labeler, no code checkout
pull_request_target:
types:
- opened
- synchronize
- reopened
permissions:
contents: read
pull-requests: write
# zizmor: ignore[dangerous-triggers] semver-label job never checks out or executes untrusted code
workflow_run:
workflows: ["Semver analysis"]
types:
- completed

permissions: {}

jobs:
semver:
semver-label:
if: github.event_name == 'workflow_run'
runs-on: ubuntu-latest
permissions:
actions: read
pull-requests: write
steps:
- uses: actions/checkout@v6
- name: Download semver results
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # tag=v8.0.1
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
token: ${{ secrets.GITHUB_TOKEN }}
name: semver-results
run-id: ${{ github.event.workflow_run.id }}
github-token: ${{ secrets.GITHUB_TOKEN }}

- name: Read PR number
id: pr
run: echo "number=$(cat pr-number)" >> $GITHUB_OUTPUT

- name: Rebase the PR against origin/github.base_ref to ensure actual API compatibility
- name: Report failure
if: github.event.workflow_run.conclusion == 'failure'
run: |
git config --global user.email "localrebase@k-orc.cloud"
git config --global user.name "Local rebase"
git rebase -i origin/${{ github.base_ref }}
gh pr edit "$NUMBER" --remove-label "semver:major,semver:minor,semver:patch"
gh issue comment "$NUMBER" --body "$BODY"
env:
GIT_SEQUENCE_EDITOR: '/usr/bin/true'

- name: Calculate go version
id: vars
run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT

- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # tag=v6.3.0
with:
go-version: ${{ steps.vars.outputs.go_version }}

- name: Checking Go API Compatibility
id: go-apidiff
# if semver=major, this will return RC=1, so let's ignore the failure so label
# can be set later. We check for actual errors in the next step.
continue-on-error: true
uses: joelanford/go-apidiff@60c4206be8f84348ebda2a3e0c3ac9cb54b8f685
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.repository }}
NUMBER: ${{ steps.pr.outputs.number }}
BODY: >
Failed to assess the semver bump. See [logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.event.workflow_run.id }}) for details.

# go-apidiff returns RC=1 when semver=major, which makes the workflow to return
# a failure. Instead let's just return a failure if go-apidiff failed to run.
- name: Return an error if Go API Compatibility couldn't be verified
if: steps.go-apidiff.outcome != 'success' && steps.go-apidiff.outputs.semver-type != 'major'
run: exit 1
- name: Read semver type
if: github.event.workflow_run.conclusion == 'success'
id: semver
run: echo "type=$(cat semver-type)" >> $GITHUB_OUTPUT

- name: Add label semver:patch
if: steps.go-apidiff.outputs.semver-type == 'patch'
if: github.event.workflow_run.conclusion == 'success' && steps.semver.outputs.type == 'patch'
run: gh pr edit "$NUMBER" --add-label "semver:patch" --remove-label "semver:major,semver:minor"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.repository }}
NUMBER: ${{ github.event.pull_request.number }}
NUMBER: ${{ steps.pr.outputs.number }}

- name: Add label semver:minor
if: steps.go-apidiff.outputs.semver-type == 'minor'
if: github.event.workflow_run.conclusion == 'success' && steps.semver.outputs.type == 'minor'
run: gh pr edit "$NUMBER" --add-label "semver:minor" --remove-label "semver:major,semver:patch"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.repository }}
NUMBER: ${{ github.event.pull_request.number }}
NUMBER: ${{ steps.pr.outputs.number }}

- name: Add label semver:major
if: steps.go-apidiff.outputs.semver-type == 'major'
if: github.event.workflow_run.conclusion == 'success' && steps.semver.outputs.type == 'major'
run: gh pr edit "$NUMBER" --add-label "semver:major" --remove-label "semver:minor,semver:patch"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.repository }}
NUMBER: ${{ github.event.pull_request.number }}

- name: Report failure
if: failure()
run: |
gh pr edit "$NUMBER" --remove-label "semver:major,semver:minor,semver:patch"
gh issue comment "$NUMBER" --body "$BODY"
exit 1
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.repository }}
NUMBER: ${{ github.event.pull_request.number }}
BODY: >
Failed to assess the semver bump. See [logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for details.
NUMBER: ${{ steps.pr.outputs.number }}

edits:
if: github.event_name == 'pull_request_target'
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/labeler@v6
- uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # tag=v6
6 changes: 4 additions & 2 deletions .github/workflows/release_image.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,12 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
with:
persist-credentials: false

- run: |
docker login -u="${{ secrets.QUAY_USERNAME }}" -p="${{ secrets.QUAY_TOKEN }}" quay.io
docker login -u="${{ secrets.QUAY_USERNAME }}" -p="${{ secrets.QUAY_TOKEN }}" quay.io # zizmor: ignore[secrets-outside-env]

docker build -t ${{ env.image_tag }} .
docker push ${{ env.image_tag }}
68 changes: 68 additions & 0 deletions .github/workflows/semver.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
name: Semver analysis
on:
pull_request:
types:
- opened
- synchronize
- reopened

permissions:
contents: read

jobs:
analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
persist-credentials: false

- name: Rebase the PR against base ref to ensure actual API compatibility
run: |
git config --global user.email "localrebase@k-orc.cloud"
git config --global user.name "Local rebase"
git rebase -i origin/$BASE_REF
env:
GIT_SEQUENCE_EDITOR: '/usr/bin/true'
BASE_REF: ${{ github.base_ref }}

- name: Calculate go version
id: vars
run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT

- name: Set up Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # tag=v6.4.0
with:
go-version: ${{ steps.vars.outputs.go_version }}

- name: Checking Go API Compatibility
id: go-apidiff
# if semver=major, this will return RC=1, so let's ignore the failure so label
# can be set later. We check for actual errors in the next step.
continue-on-error: true
uses: joelanford/go-apidiff@60c4206be8f84348ebda2a3e0c3ac9cb54b8f685 # tag=v0.8.3

# go-apidiff returns RC=1 when semver=major, which makes the workflow to return
# a failure. Instead let's just return a failure if go-apidiff failed to run.
- name: Return an error if Go API Compatibility couldn't be verified
if: steps.go-apidiff.outcome != 'success' && steps.go-apidiff.outputs.semver-type != 'major'
run: exit 1

- name: Save semver result
if: always()
run: |
mkdir -p semver-results
echo "$SEMVER_TYPE" > semver-results/semver-type
echo "$PR_NUMBER" > semver-results/pr-number
env:
SEMVER_TYPE: ${{ steps.go-apidiff.outputs.semver-type }}
PR_NUMBER: ${{ github.event.pull_request.number }}

- name: Upload semver results
if: always()
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # tag=v7
with:
name: semver-results
path: semver-results/
7 changes: 5 additions & 2 deletions .github/workflows/unit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,16 +16,19 @@ jobs:
- '1'

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
with:
persist-credentials: false

- name: Calculate go version
id: vars
run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT

- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # tag=v6.3.0
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # tag=v6.4.0
with:
go-version: ${{ steps.vars.outputs.go_version }}
cache: false

- run: |
make test
Loading