ci: encrypt artifacts #2567

miampf · 2023-11-08T15:23:38Z

Context

Currently, any artifacts uploaded by the CI are unencrypted which can be insecure (e.g. for logs).

Proposed change(s)

add the action .github/actions/artifact_upload
add the action .github/actions/artifact_download
replace all CI references to actions/upload-artifact/actions/download-artifact with their respective wrappers

Checklist

Add labels (e.g., for changelog category)
Is PR title adequate for changelog?

netlify · 2023-11-08T15:23:58Z

✅ Deploy Preview for constellation-docs canceled.

Name	Link
🔨 Latest commit	`506398d`
🔍 Latest deploy log	https://app.netlify.com/sites/constellation-docs/deploys/6582f1e9f8d6430007f4bde0

msanft · 2023-11-08T15:50:43Z

Removed the security-fix label as this is rather a defensive security measure on our side and since it interferes with the no-changelog label in the changelog generation process

msanft

One general thing: If making as many commits is part of your standard workflow, awesome! If you do this because you think we expect it. No. Feel free to do less commits, don't feel urged by the "guidelines" saying that you should push your work regularly. This is really regular. However, I really don't wan't you to change it if it's part of your default workflow. Just don't feel urged to do that by us :D

.github/actions/artifact_download/action.yml

.github/actions/artifact_upload/action.yml

.github/actions/artifact_download/action.yml

.github/actions/artifact_upload/action.yml

msanft

Changes look really good to me already other than that :)

.github/actions/artifact_upload/action.yml

.github/actions/artifact_download/action.yml

.github/actions/artifact_upload/action.yml

.github/actions/e2e_benchmark/action.yml

.github/workflows/e2e-upgrade.yml

.github/workflows/release-cli.yml

.github/workflows/test-artifact-actions-and-stuff.yml

test-folder/file-1.txt

.github/workflows/test-artifact-actions-and-stuff.yml

.github/actions/artifact_upload/action.yml

msanft

LGTM except for the test removal that Paul mentioned.

malt3

LGTM

.github/actions/artifact_download/action.yml

malt3 · 2023-12-18T10:06:55Z

I think this can be merged 🚀

wanted by you

.github/actions/constellation_create/action.yml

.github/workflows/draft-release.yml

miampf added security fix Vulnerability fixes no changelog Change won't be listed in release changelog labels Nov 8, 2023

malt3 requested a review from msanft November 8, 2023 15:31

msanft removed the security fix Vulnerability fixes label Nov 8, 2023

msanft requested changes Nov 8, 2023

View reviewed changes

katexochen reviewed Nov 9, 2023

View reviewed changes

.github/actions/artifact_download/action.yml Outdated Show resolved Hide resolved

.github/actions/artifact_download/action.yml Outdated Show resolved Hide resolved

.github/actions/artifact_upload/action.yml Outdated Show resolved Hide resolved

miampf force-pushed the encrypt-artifacts branch 6 times, most recently from 4f03a7b to dc86d93 Compare November 15, 2023 11:08

msanft requested changes Nov 16, 2023

View reviewed changes

miampf force-pushed the encrypt-artifacts branch from 790625d to 0c68fcf Compare November 20, 2023 12:12

katexochen previously requested changes Nov 20, 2023

View reviewed changes

.github/actions/artifact_upload/action.yml Outdated Show resolved Hide resolved

.github/actions/artifact_upload/action.yml Outdated Show resolved Hide resolved

miampf force-pushed the encrypt-artifacts branch from f1d79c9 to b1536b9 Compare November 20, 2023 13:45

msanft approved these changes Nov 21, 2023

View reviewed changes

miampf force-pushed the encrypt-artifacts branch from b1536b9 to 1371170 Compare November 22, 2023 11:23

miampf requested a review from katexochen November 22, 2023 11:26

miampf force-pushed the encrypt-artifacts branch 2 times, most recently from 2489a80 to a088b9b Compare November 27, 2023 13:04

msanft requested a review from malt3 November 28, 2023 08:05

malt3 approved these changes Nov 28, 2023

View reviewed changes

daniel-weisse reviewed Dec 6, 2023

View reviewed changes

.github/actions/artifact_download/action.yml Show resolved Hide resolved

daniel-weisse mentioned this pull request Dec 20, 2023

ci: parallelize upgrade e2e test #2724

Merged

3 tasks

miampf added 2 commits December 20, 2023 12:42

created action for uploading encrypted artifacts

249005b

changed name of secret to something more general

30bdd02

miampf added 11 commits December 20, 2023 12:49

renamed workflow in hopes that GH will detect it now

7d50652

added name to workflow

082dc6f

added checkout because maybe that is the problem

2476cf3

changed trigger

f2b2117

add channels

0bfe32c

pin to specific hashes

751f1ce

changed hash

859f5a3

fixed wrong description text

c50d6e5

install zip/unzip with setup_bazel_nix action

a9a70f3

removed test files

47c53ae

no newline for do/then in bash script

438e710

miampf force-pushed the encrypt-artifacts branch from a088b9b to 438e710 Compare December 20, 2023 11:49

miampf added 2 commits December 20, 2023 13:01

use own download_artifact action

7cd8851

fixed actions that cant use secrets and cascading issues

3345a4e

miampf requested review from daniel-weisse, malt3 and msanft December 20, 2023 12:14

daniel-weisse requested changes Dec 20, 2023

View reviewed changes

.github/actions/constellation_create/action.yml Outdated Show resolved Hide resolved

.github/workflows/draft-release.yml Outdated Show resolved Hide resolved

.github/workflows/draft-release.yml Show resolved Hide resolved

added forgotten encryption secret

695aefe

daniel-weisse approved these changes Dec 20, 2023

View reviewed changes

msanft approved these changes Dec 20, 2023

View reviewed changes

malt3 approved these changes Dec 20, 2023

View reviewed changes

miampf added 2 commits December 20, 2023 14:50

consistent quotes

f055e01

don't encrypt the draft release

506398d

miampf merged commit a429ca5 into main Dec 20, 2023
5 checks passed

miampf deleted the encrypt-artifacts branch December 20, 2023 14:17

daniel-weisse mentioned this pull request Dec 21, 2023

ci: fix artifact upload in image build pipeline #2765

Merged

burgerdev mentioned this pull request Dec 22, 2023

ci: selectively remove artifact encryption #2772

Merged

4 tasks

elchead mentioned this pull request Jan 30, 2024

ci: fix upload CLI path line splitting #2877

Merged

3 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: encrypt artifacts #2567

ci: encrypt artifacts #2567

miampf commented Nov 8, 2023

netlify bot commented Nov 8, 2023 •

edited

Loading

msanft commented Nov 8, 2023

msanft left a comment

msanft left a comment

msanft left a comment

malt3 left a comment

malt3 commented Dec 18, 2023

ci: encrypt artifacts #2567

ci: encrypt artifacts #2567

Conversation

miampf commented Nov 8, 2023

Context

Proposed change(s)

Checklist

netlify bot commented Nov 8, 2023 • edited Loading

✅ Deploy Preview for constellation-docs canceled.

msanft commented Nov 8, 2023

msanft left a comment

Choose a reason for hiding this comment

msanft left a comment

Choose a reason for hiding this comment

msanft left a comment

Choose a reason for hiding this comment

malt3 left a comment

Choose a reason for hiding this comment

malt3 commented Dec 18, 2023

netlify bot commented Nov 8, 2023 •

edited

Loading