This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new dc206e6f71 Refresh and cleanup GitHub actions (#35401)
dc206e6f71 is described below
commit dc206e6f71fefec663dab5b980b7e9ca02aa5eea
Author: Jarek Potiuk <[email protected]>
AuthorDate: Fri Nov 3 14:22:25 2023 +0100
Refresh and cleanup GitHub actions (#35401)
* Refresh and cleanup GitHub actions
This PR aims to refresh and clean-up all the gitub actions that
we use in CI build. It also get rids of actions used in
submodules as they have not been very useful and they are confusing
on how to update and refresh the actions.
The changes:
* The `github-push-action` is not needed any more. As of newe versions
of checkout action we can persist credentials and `fetch-depth: 0` to
avoid `detached-head` problem that was there in previous versions and
we can simply `git push` the committed changes. Alongside, the name
of folder where we check constraints is changed to a much more
explicit "constraints" from "repo" folder.
* The `configure-aws-credentials` is updated to latest version and
careful review of the code in the commit has been done in order to
verify it contains no malicious code and following best practices,
SHA of the commit is used to checkout the action code.
See
https://docs.github.com/en/actions/learn-github-actions/finding-and-customizing-actions#using-shas
The `configure-aws-credentials` organisation is also "verified partner" by
GitHub so we can rather safely assume it is legitimate to upgrade.
* Github standard `checkout` action is updated to latest v4
* We still had `get-workflow-origin` submodule defined even if we
have not used for a year now. All Submodule definition is now
removed from airflow as none of the actions uses submodules to
check out the actions any more.
* Update .github/workflows/ci.yml
Co-authored-by: Pankaj Koti <[email protected]>
---------
Co-authored-by: Pankaj Koti <[email protected]>
---
.github/actions/configure-aws-credentials | 1 -
.github/actions/github-push-action | 1 -
.github/workflows/build-images.yml | 16 ++--
.github/workflows/ci.yml | 98 +++++++++++-----------
.github/workflows/codeql-analysis.yml | 4 +-
.github/workflows/release_dockerhub_image.yml | 4 +-
.gitmodules | 9 --
...-using-contributed-code-when-building-images.md | 2 +-
scripts/ci/constraints/ci_commit_constraints.sh | 2 +-
scripts/ci/constraints/ci_diff_constraints.sh | 4 +-
.../pre_commit_checkout_no_credentials.py | 9 +-
11 files changed, 73 insertions(+), 77 deletions(-)
diff --git a/.github/actions/configure-aws-credentials
b/.github/actions/configure-aws-credentials
deleted file mode 160000
index e97d7fbc8e..0000000000
--- a/.github/actions/configure-aws-credentials
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit e97d7fbc8e0e5af69631c13daa0f4b5a8d88165b
diff --git a/.github/actions/github-push-action
b/.github/actions/github-push-action
deleted file mode 160000
index 40bf560936..0000000000
--- a/.github/actions/github-push-action
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 40bf560936a8022e68a3c00e7d2abefaf01305a6
diff --git a/.github/workflows/build-images.yml
b/.github/workflows/build-images.yml
index e57dca99fc..44d82e6404 100644
--- a/.github/workflows/build-images.yml
+++ b/.github/workflows/build-images.yml
@@ -108,7 +108,7 @@ jobs:
# we checkout the target commit and its parent to be able to compare them
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
with:
ref: ${{ env.TARGET_COMMIT_SHA }}
persist-credentials: false
@@ -147,7 +147,7 @@ jobs:
print(output, file=sys.stderr)
EOF
- name: Checkout target branch to 'target-airflow' folder to use
ci/scripts and breeze from there.
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
path: "target-airflow"
ref: ${{ github.base_ref }}
@@ -204,13 +204,13 @@ jobs:
steps:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
with:
ref: ${{ needs.build-info.outputs.target-commit-sha }}
persist-credentials: false
submodules: recursive
- name: Checkout target branch to 'target-airflow' folder to use
ci/scripts and breeze from there.
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
path: "target-airflow"
ref: ${{ github.base_ref }}
@@ -277,13 +277,13 @@ jobs:
steps:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
with:
ref: ${{ needs.build-info.outputs.target-commit-sha }}
persist-credentials: false
submodules: recursive
- name: Checkout target branch to 'target-airflow' folder to use
ci/scripts and breeze from there.
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
path: "target-airflow"
ref: ${{ github.base_ref }}
@@ -338,13 +338,13 @@ jobs:
steps:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
with:
ref: ${{ needs.build-info.outputs.target-commit-sha }}
persist-credentials: false
submodules: recursive
- name: Checkout target branch to 'target-airflow' folder to use
ci/scripts and breeze from there.
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
path: "target-airflow"
ref: ${{ github.base_ref }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9aaa1e53fd..d374a185cd 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -131,12 +131,12 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
submodules: recursive
- name: Fetch incoming commit ${{ github.sha }} with its parent
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
ref: ${{ github.sha }}
fetch-depth: 2
@@ -214,7 +214,7 @@ jobs:
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
if: needs.build-info.outputs.canary-run == 'true' &&
needs.build-info.outputs.default-branch == 'main'
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
if: needs.build-info.outputs.canary-run == 'true' &&
needs.build-info.outputs.default-branch == 'main'
@@ -284,7 +284,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: "Install Breeze"
@@ -313,7 +313,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
if: needs.build-info.outputs.in-workflow-build == 'true'
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
with:
ref: ${{ needs.build-info.outputs.targetCommitSha }}
persist-credentials: false
@@ -349,7 +349,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
submodules: recursive
@@ -412,7 +412,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
if: needs.build-info.outputs.in-workflow-build == 'true'
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
with:
ref: ${{ needs.build-info.outputs.targetCommitSha }}
persist-credentials: false
@@ -439,7 +439,7 @@ jobs:
steps:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v4
@@ -465,7 +465,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: "Setup node"
@@ -493,7 +493,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
fetch-depth: 2
persist-credentials: false
@@ -510,7 +510,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
fetch-depth: 2
persist-credentials: false
@@ -533,7 +533,7 @@ jobs:
needs: [build-info]
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
fetch-depth: 2
persist-credentials: false
@@ -553,7 +553,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: "Install Breeze"
@@ -582,7 +582,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: >
@@ -625,7 +625,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: "Setup python"
@@ -649,7 +649,7 @@ jobs:
pre-commit-basic-${{steps.breeze.outputs.host-python-version}}-\n
pre-commit-full-${{steps.breeze.outputs.host-python-version}}-"
- name: Fetch incoming commit ${{ github.sha }} with its parent
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
ref: ${{ github.sha }}
fetch-depth: 2
@@ -680,7 +680,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
submodules: recursive
@@ -716,7 +716,7 @@ jobs:
- name: "Generate back references for helm-chart"
run: breeze release-management add-back-references helm-chart
- name: Configure AWS credentials
- uses: ./.github/actions/configure-aws-credentials
+ uses:
aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a
# v4.0.1
if: >
github.ref == 'refs/heads/main' && github.repository ==
'apache/airflow' &&
github.event_name == 'push'
@@ -746,7 +746,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: >
@@ -801,7 +801,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: >
@@ -872,7 +872,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: >
@@ -921,7 +921,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: >
@@ -968,7 +968,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: >
@@ -1016,7 +1016,7 @@ jobs:
shell: bash
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: "Prepare breeze & CI image:
${{matrix.python-version}}:${{env.IMAGE_TAG}}"
@@ -1072,7 +1072,7 @@ jobs:
shell: bash
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: >
@@ -1122,7 +1122,7 @@ jobs:
shell: bash
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: >
@@ -1172,7 +1172,7 @@ jobs:
shell: bash
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: >
@@ -1223,7 +1223,7 @@ jobs:
shell: bash
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: "Prepare breeze & CI image:
${{matrix.python-version}}:${{env.IMAGE_TAG}}"
@@ -1287,7 +1287,7 @@ jobs:
shell: bash
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: "Prepare breeze & CI image:
${{matrix.python-version}}:${{env.IMAGE_TAG}}"
@@ -1338,7 +1338,7 @@ jobs:
shell: bash
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: "Prepare breeze & CI image:
${{matrix.python-version}}:${{env.IMAGE_TAG}}"
@@ -1385,7 +1385,7 @@ jobs:
shell: bash
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: "Prepare breeze & CI image:
${{env.PYTHON_MAJOR_MINOR_VERSION}}:${{env.IMAGE_TAG}}"
@@ -1458,7 +1458,7 @@ jobs:
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
if: needs.build-info.outputs.is-airflow-runner == 'true'
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
if: needs.build-info.outputs.is-airflow-runner == 'true'
@@ -1498,7 +1498,7 @@ jobs:
shell: bash
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: >
@@ -1564,7 +1564,7 @@ jobs:
shell: bash
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: >
@@ -1600,7 +1600,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
submodules: recursive
@@ -1632,7 +1632,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: "Install Breeze"
@@ -1670,7 +1670,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
fetch-depth: 2
persist-credentials: false
@@ -1709,7 +1709,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: "Install Breeze"
@@ -1786,19 +1786,21 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
+ # Needed to perform push action
persist-credentials: false
submodules: recursive
- name: "Set constraints branch name"
id: constraints-branch
run: ./scripts/ci/constraints/ci_branch_constraints.sh >>
${GITHUB_OUTPUT}
- name: Checkout ${{ steps.constraints-branch.outputs.branch }}
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
- path: "repo"
+ path: "constraints"
ref: ${{ steps.constraints-branch.outputs.branch }}
- persist-credentials: false
+ persist-credentials: true
+ fetch-depth: 0
- name: "Download constraints from the constraints preview"
uses: actions/download-artifact@v3
with:
@@ -1811,12 +1813,10 @@ jobs:
run: ./scripts/ci/constraints/ci_commit_constraints.sh
if: needs.build-info.outputs.canary-run == 'true'
- name: "Push changes"
- uses: ./.github/actions/github-push-action
if: needs.build-info.outputs.canary-run == 'true'
- with:
- github_token: ${{ secrets.GITHUB_TOKEN }}
- branch: ${{ steps.constraints-branch.outputs.branch }}
- directory: "repo"
+ working-directory: "constraints"
+ run:
+ git push
# Push BuildX cache to GitHub Registry in Apache repository, if all tests
are successful and build
# is executed as result of direct push to "main" or one of the "vX-Y-test"
branches
@@ -1841,7 +1841,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: >
@@ -1946,7 +1946,7 @@ jobs:
steps:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
with:
ref: ${{ needs.build-info.outputs.targetCommitSha }}
persist-credentials: false
diff --git a/.github/workflows/codeql-analysis.yml
b/.github/workflows/codeql-analysis.yml
index b71283c02a..9182918701 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -39,7 +39,7 @@ jobs:
needs-javascript-scans: ${{
steps.selective-checks.outputs.needs-javascript-scans }}
steps:
- name: Checkout repository
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
fetch-depth: 2
persist-credentials: false
@@ -69,7 +69,7 @@ jobs:
security-events: write
steps:
- name: Checkout repository
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
if: |
diff --git a/.github/workflows/release_dockerhub_image.yml
b/.github/workflows/release_dockerhub_image.yml
index 9c25aaea0b..2053dc5b9d 100644
--- a/.github/workflows/release_dockerhub_image.yml
+++ b/.github/workflows/release_dockerhub_image.yml
@@ -55,7 +55,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
submodules: recursive
@@ -92,7 +92,7 @@ jobs:
- name: Cleanup repo
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm
-rf /workspace/*"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
- name: "Install Breeze"
diff --git a/.gitmodules b/.gitmodules
index 4195e904ce..e69de29bb2 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,9 +0,0 @@
-[submodule ".github/actions/get-workflow-origin"]
- path = .github/actions/get-workflow-origin
- url = https://github.com/potiuk/get-workflow-origin
-[submodule ".github/actions/configure-aws-credentials"]
- path = .github/actions/configure-aws-credentials
- url = https://github.com/aws-actions/configure-aws-credentials
-[submodule ".github/actions/github-push-action"]
- path = .github/actions/github-push-action
- url = https://github.com/ad-m/github-push-action
diff --git
a/dev/breeze/doc/adr/0005-preventing-using-contributed-code-when-building-images.md
b/dev/breeze/doc/adr/0005-preventing-using-contributed-code-when-building-images.md
index 6f27821aa1..9e051fdc00 100644
---
a/dev/breeze/doc/adr/0005-preventing-using-contributed-code-when-building-images.md
+++
b/dev/breeze/doc/adr/0005-preventing-using-contributed-code-when-building-images.md
@@ -108,7 +108,7 @@ but to make sure that the following rules are in-place:
to our repository
```yaml
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
with:
ref: ${{ env.TARGET_COMMIT_SHA }}
persist-credentials: false
diff --git a/scripts/ci/constraints/ci_commit_constraints.sh
b/scripts/ci/constraints/ci_commit_constraints.sh
index f200628229..727ddcf625 100755
--- a/scripts/ci/constraints/ci_commit_constraints.sh
+++ b/scripts/ci/constraints/ci_commit_constraints.sh
@@ -15,7 +15,7 @@
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
-cd repo || exit 1
+cd constraints || exit 1
git config --local user.email "[email protected]"
git config --local user.name "Automated GitHub Actions commit"
git diff --color --exit-code --ignore-matching-lines="^#.*" || \
diff --git a/scripts/ci/constraints/ci_diff_constraints.sh
b/scripts/ci/constraints/ci_diff_constraints.sh
index 134a8aeb5c..348cb63b1a 100755
--- a/scripts/ci/constraints/ci_diff_constraints.sh
+++ b/scripts/ci/constraints/ci_diff_constraints.sh
@@ -15,6 +15,6 @@
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
-cp -v ./files/constraints-*/constraints*.txt repo/
-cd repo || exit 1
+cp -v ./files/constraints-*/constraints*.txt constraints/
+cd constraints || exit 1
git diff --color --exit-code --ignore-matching-lines="^#.*" || echo "No
changes in constraints"
diff --git a/scripts/ci/pre_commit/pre_commit_checkout_no_credentials.py
b/scripts/ci/pre_commit/pre_commit_checkout_no_credentials.py
index f0406d4374..15c0650e18 100755
--- a/scripts/ci/pre_commit/pre_commit_checkout_no_credentials.py
+++ b/scripts/ci/pre_commit/pre_commit_checkout_no_credentials.py
@@ -48,6 +48,13 @@ def check_file(the_file: Path) -> int:
console.print(f"\n[red]The `with` clause is missing in
step:[/]\n\n{pretty_step}")
error_num += 1
continue
+ path = with_clause.get("path")
+ if path == "constraints":
+ # This is a special case - we are ok with persisting
credentials in constraints
+ # step, because we need them to push constraints back to
the repository in "canary"
+ # build. This is ok for security, because we are pushing
it only in the `main` branch
+ # of the repository and only for unprotected constraints
branch
+ continue
persist_credentials = with_clause.get("persist-credentials")
if persist_credentials is None:
console.print(
@@ -80,7 +87,7 @@ set to False.[/]
For security reasons - make sure all of the checkout actions have
persist_credentials set, similar to:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
