Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DT-1122] Apply zizmor suggestions #1879

Merged
merged 1 commit into from
Jan 9, 2025
Merged

[DT-1122] Apply zizmor suggestions #1879

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions .github/workflows/cherry-pick-image.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,12 @@ jobs:
gcloud auth activate-service-account --key-file ${GOOGLE_APPLICATION_CREDENTIALS}
- name: "Perform cherry-pick"
run: |
SOURCE_IMAGE="${{ inputs.source_gcr_url }}:${{ inputs.gcr_tag }}"
TARGET_IMAGE="${{ inputs.target_gcr_url }}:${{ inputs.gcr_tag }}"
echo "Cherry picking ${{ inputs.gcr_tag }} from ${SOURCE_IMAGE} to ${TARGET_IMAGE}"
SOURCE_IMAGE="${SOURCE_GCR_URL}:${GCR_TAG}"
TARGET_IMAGE="${TARGET_GCR_URL}:${GCR_TAG}"
echo "Cherry picking ${GCR_TAG} from ${SOURCE_IMAGE} to ${TARGET_IMAGE}"
gcloud container images add-tag --quiet "${SOURCE_IMAGE}" "${TARGET_IMAGE}"
env:
SOURCE_GCR_URL: ${{ inputs.source_gcr_url }}
TARGET_GCR_URL: ${{ inputs.target_gcr_url }}
GCR_TAG: ${{ inputs.gcr_tag }}

9 changes: 6 additions & 3 deletions .github/workflows/dev-image-update.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ jobs:
with:
ref: develop
token: ${{ secrets.BROADBOT_TOKEN }}
persist-credentials: false
- name: "Bump the tag to a new version"
id: bumperstep
uses: broadinstitute/datarepo-actions/actions/[email protected]
Expand All @@ -44,14 +45,15 @@ jobs:
uses: actions/checkout@v3
with:
ref: ${{ needs.bump_version.outputs.api_image_tag }}
persist-credentials: false
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'
cache: 'gradle'
- name: "Publish to Artifactory"
uses: gradle/gradle-build-action@v2
uses: gradle/gradle-build-action@v2.12.0
with:
arguments: ':datarepo-client:artifactoryPublish'
env:
Expand All @@ -68,6 +70,7 @@ jobs:
uses: actions/checkout@v3
with:
ref: ${{ needs.bump_version.outputs.api_image_tag }}
persist-credentials: false
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
Expand All @@ -80,10 +83,10 @@ jobs:
base64 --decode <<< ${{ secrets.SA_B64_CREDENTIALS }} > ${GOOGLE_APPLICATION_CREDENTIALS}
jq -r .private_key ${GOOGLE_APPLICATION_CREDENTIALS} > ${GOOGLE_SA_CERT}
chmod 644 ${GOOGLE_SA_CERT}
# Set tag to semver version
export GCR_TAG=${{ needs.bump_version.outputs.api_image_tag }}
# Build, tag and push the image
./gradlew jib
env:
GCR_TAG: ${{ needs.bump_version.outputs.api_image_tag }}
Comment on lines +88 to +89
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should work to replace the export call.


cherry_pick_image_to_production_gcr:
needs: [bump_version, build_container_and_publish]
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/helmtagbumper.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ jobs:
with:
fetch-depth: 0
ref: develop
persist-credentials: false
- name: 'Fetch latest jade-data-repo image tag'
id: apiprevioustag
run: |
Expand All @@ -22,6 +23,7 @@ jobs:
repository: 'broadinstitute/datarepo-helm'
path: datarepo-helm
token: "${{ secrets.BROADBOT_TOKEN }}"
persist-credentials: false
- name: "[datarepo-helm] [value.yaml] Update image tag"
uses: docker://mikefarah/yq:3
with:
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/int-and-connected-test-run.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ jobs:
uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
Expand All @@ -44,6 +45,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
Expand Down Expand Up @@ -92,6 +95,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
Expand Down Expand Up @@ -153,6 +158,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Get the latest git hash
id: config
run: |
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/release-python-client.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ jobs:
id-token: write
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Set up Python 3.7
uses: actions/setup-python@v4
with:
Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/staging-smoke-tests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ jobs:
uses: actions/checkout@v3
with:
fetch-depth: 0
persist-credentials: false
- name: "Setup Java 17"
uses: actions/setup-java@v3
with:
Expand All @@ -43,8 +44,11 @@ jobs:
- name: "Checkout tag for DataBiosphere/jade-data-repo"
if: github.ref == 'refs/heads/develop'
run: |
git checkout ${{ steps.configuration.outputs.staging_version }}
echo "Current branch is ${{ github.ref }}"
git checkout "${STAGING_VERSION}"
echo "Current branch is ${GITHUB_REF}"
env:
STAGING_VERSION: ${{ steps.configuration.outputs.staging_version }}
GITHUB_REF: ${{ github.ref }}
- name: "Perform IAM policy cleanup for staging"
run: |
# write token
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/tag.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ jobs:
with:
ref: ${{ inputs.ref }}
token: ${{ secrets.BROADBOT_TOKEN }} # this allows the push to succeed later
persist-credentials: false
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about this one given the previous line

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can always roll it back if necessary.

- name: Bump the tag to a new version
# https://github.com/DataBiosphere/github-actions/tree/master/actions/bumper
uses: databiosphere/github-actions/actions/[email protected]
Expand All @@ -66,7 +67,9 @@ jobs:
- name: Echo tag to console
if: ${{ inputs.print-tag == 'true' }}
run: |
echo "Newly created version tag: '${{ steps.tag.outputs.new_tag }}'"
echo "Newly created version tag: '${NEW_TAG}'"
echo "build.gradle"
echo "==============="
cat build.gradle
env:
NEW_TAG: ${{ steps.tag.outputs.new_tag }}
2 changes: 2 additions & 0 deletions .github/workflows/trivy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ jobs:
steps:
- name: Check out the code
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Set up JDK 17 and cache Gradle build
uses: actions/setup-java@v4
with:
Expand Down
Loading