Update workflow #24
Update workflow #24
Conversation
There was a problem hiding this comment.
PR Overview
This PR updates the workflow to streamline versioning and artifact handling for Debian packages and Docker images. Key changes include:
- Renaming steps and updating command flags to define package versions.
- Modifying the Postgres version matrix from detailed versions to simplified integers.
- Adding a job dependency and a step to download .deb packages.
Reviewed Changes
| File | Description |
|---|---|
| .github/workflows/ferretdb_packages.yml | Updates to version definition, build, and artifact management. |
Copilot reviewed 1 out of 1 changed files in this pull request and generated no comments.
Comments suppressed due to low confidence (4)
.github/workflows/ferretdb_packages.yml:105
- [nitpick] The name 'Define version' is ambiguous and might reduce clarity; consider renaming it to 'Define Debian package version' to clearly indicate its purpose.
- - name: Define Debian package version
.github/workflows/ferretdb_packages.yml:111
- Removing the '--command deb-version --control-file' arguments may be unintentional. Please verify that the revised command provides the expected versioning behavior for Debian packages.
go run ./defineversion -pg-version ${{ matrix.pg }}
.github/workflows/ferretdb_packages.yml:153
- Changing the Postgres version matrix from detailed versions to integers could lead to compatibility issues; ensure these simplified version numbers are supported by all dependent processes.
pg: [15, 16, 17]
.github/workflows/ferretdb_packages.yml:185
- [nitpick] Renaming this step to 'Define version' might be confusing since it is used for Docker tag generation; consider a more descriptive name like 'Define Docker tags' to better reflect its functionality.
- - name: Define Docker tags
| - name: Build ${{ steps.version.outputs.debian_version }} | ||
| if: steps.version.outputs.debian_version != '' | ||
| run: ./ferretdb_packaging/build_packages.sh --os ${{ matrix.os }} --pg ${{ matrix.pg }} --version ${{ steps.version.outputs.debian_version }} --test-clean-install | ||
|
|
||
| - name: Upload | ||
| - name: Upload .deb packages |
Check failure
Code scanning / CodeQL
Cache Poisoning via execution of untrusted code High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 20 days ago
To fix the problem, we need to ensure that untrusted code from pull requests does not run in the context of the default branch with elevated privileges. Instead, we should run untrusted code in a separate, less privileged context. This can be achieved by changing the event trigger from pull_request_target to pull_request, which runs in the context of the pull request branch and does not have access to secrets or privileged tokens.
- Change the event trigger from
pull_request_targettopull_requeston lines 26-31. - Update the conditions and steps that depend on
pull_request_targetto use the new event trigger.
| @@ -25,3 +25,3 @@ | ||
| on: | ||
| pull_request_target: | ||
| pull_request: | ||
| types: | ||
| @@ -60,3 +60,3 @@ | ||
| if: > | ||
| github.event_name != 'pull_request_target' || | ||
| github.event_name != 'pull_request' || | ||
| ( | ||
| @@ -78,3 +78,3 @@ | ||
| - name: Checkout code | ||
| if: github.event_name != 'pull_request_target' | ||
| if: github.event_name != 'pull_request' | ||
| uses: actions/checkout@v4 | ||
| @@ -85,3 +85,3 @@ | ||
| - name: Checkout pull request code | ||
| if: github.event_name == 'pull_request_target' | ||
| if: github.event_name == 'pull_request' | ||
| uses: actions/checkout@v4 | ||
| @@ -97,3 +97,3 @@ | ||
| - name: Name branch | ||
| if: github.event_name == 'pull_request_target' | ||
| if: github.event_name == 'pull_request' | ||
| env: |
No description provided.