Skip to content

[Backport] fix: bypass access checks when populating course blocks cache #36826

[Backport] fix: bypass access checks when populating course blocks cache

[Backport] fix: bypass access checks when populating course blocks cache #36826

name: Check Django Migrations
on:
workflow_dispatch:
pull_request:
push:
branches:
- master
jobs:
check_migrations:
name: check migrations
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-22.04]
python-version:
- "3.11"
# 'pinned' is used to install the latest patch version of Django
# within the global constraint i.e. Django==4.2.8 in current case
# because we have global constraint of Django<4.2
django-version: ["pinned"]
mongo-version:
- "7"
mysql-version: ["8"]
services:
mongo:
image: mongo:${{ matrix.mongo-version }}
ports:
- 27017:27017
# Note: Calling mongo here only works with mongo 4, in newer versions of mongo
# we'll have to use `mongosh`, hence the 'which mongosh mongo'.
options: >-
--health-cmd "$(which mongosh mongo) --quiet --eval 'db.runCommand(\"ping\")'"
--health-interval 10s
--health-timeout 5s
--health-retries 3
mysql:
image: mysql:${{ matrix.mysql-version }}
ports:
- 3306:3306
env:
MYSQL_DATABASE: "edxapp"
MYSQL_USER: "edxapp001"
MYSQL_PASSWORD: "password"
MYSQL_RANDOM_ROOT_PASSWORD: true
options: >-
--health-cmd "mysqladmin ping"
--health-interval 10s
--health-timeout 5s
--health-retries 3
steps:
- name: Setup mongodb user
run: |
docker exec ${{ job.services.mongo.id }} mongosh edxapp --eval '
db.createUser(
{
user: "edxapp",
pwd: "password",
roles: [
{ role: "readWrite", db: "edxapp" },
]
}
);
'
- name: Verify mongo and mysql db credentials
run: |
mysql -h 127.0.0.1 -uedxapp001 -ppassword -e "select 1;" edxapp
docker exec ${{ job.services.mongo.id }} mongosh --host 127.0.0.1 --username edxapp --password password --eval 'use edxapp; db.adminCommand("ping");' edxapp
- name: Checkout repo
uses: actions/checkout@v4
- name: Setup Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install system Packages
run: |
sudo apt-get update
make ubuntu-requirements
- name: Get pip cache dir
id: pip-cache-dir
run: |
echo "dir=$(pip cache dir)" >> $GITHUB_OUTPUT
- name: Cache pip dependencies
id: cache-dependencies
uses: actions/cache@v4
with:
path: ${{ steps.pip-cache-dir.outputs.dir }}
key: ${{ runner.os }}-pip-${{ hashFiles('requirements/edx/development.txt') }}
restore-keys: ${{ runner.os }}-pip-
- name: Install Python dependencies
run: |
make dev-requirements
if [[ "${{ matrix.django-version }}" != "pinned" ]]; then
pip install "django~=${{ matrix.django-version }}.0"
pip check # fail if this test-reqs/Django combination is broken
fi
- name: list installed package versions
run: |
sudo pip freeze
- name: Run Tests
env:
LMS_CFG: lms/envs/minimal.yml
# This is from the LMS dir on purpose since we don't need anything different for the CMS yet.
STUDIO_CFG: lms/envs/minimal.yml
run: |
echo "Running the LMS migrations."
./manage.py lms migrate
echo "Running the CMS migrations."
./manage.py cms migrate
# This job aggregates test results. It's the required check for branch protection.
# https://github.com/marketplace/actions/alls-green#why
# https://github.com/orgs/community/discussions/33579
success:
name: Migrations checks successful
if: always()
needs:
- check_migrations
runs-on: ubuntu-22.04
steps:
- name: Decide whether the needed jobs succeeded or failed
# uses: re-actors/[email protected]
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe
with:
jobs: ${{ toJSON(needs) }}