Skip to content

[Snyk] Security upgrade cookie from 0.4.2 to 0.7.0 #97

[Snyk] Security upgrade cookie from 0.4.2 to 0.7.0

[Snyk] Security upgrade cookie from 0.4.2 to 0.7.0 #97

Workflow file for this run

name: Build
on:
pull_request:
types: [opened, edited]
push:
workflow_dispatch:
inputs:
recreate_vm:
required: true
type: string
description: "Whether to recreate the VM"
default: "false"
jobs:
create-runner:
uses: ./.github/workflows/create_runner.yml
secrets: inherit
concurrency:
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-create-runner
cancel-in-progress: false
configuration:
name: Configure job parameters
runs-on: ${{ needs.create-runner.outputs.label }}
needs: [create-runner]
concurrency:
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-configuration
cancel-in-progress: true
outputs:
is_main_branch: ${{ (github.head_ref || github.ref) == 'refs/heads/main' }}
version: ${{ steps.branches.outputs.sanitized-branch-name }}-gha.${{github.run_number}}
preview_enable: ${{ contains( steps.pr-details.outputs.pr_body, '[x] /werft with-preview') }}
preview_infra_provider: ${{ contains( steps.pr-details.outputs.pr_body, '[x] /werft with-gce-vm') && 'gce' || 'harvester' }}
build_no_cache: ${{ contains( steps.pr-details.outputs.pr_body, '[x] leeway-no-cache') }}
build_no_test: ${{ contains( steps.pr-details.outputs.pr_body, '[x] /werft no-test') }}
with_large_vm: ${{ contains( steps.pr-details.outputs.pr_body, '[X] /werft with-large-vm') }}
publish_to_npm: ${{ contains( steps.pr-details.outputs.pr_body, '[X] /werft publish-to-npm') }}
publish_to_jbmp: ${{ contains( steps.pr-details.outputs.pr_body, '[X] /werft publish-to-jb-marketplace') }}
with_dedicated_emulation: ${{ contains( steps.pr-details.outputs.pr_body, '[X] with-dedicated-emulation') }}
analytics: ${{ steps.output.outputs.analytics }}
workspace_feature_flags: ${{ steps.output.outputs.workspace_feature_flags }}
pr_no_diff_skip: ${{ steps.pr-diff.outputs.pr_no_diff_skip }}
with_werft: ${{ steps.output.outputs.with-werft }}
with_integration_tests: ${{ steps.output.outputs.with_integration_tests }}
with_monitoring: ${{ contains( steps.pr-details.outputs.pr_body, '[x] with-monitoring') }}
latest_ide_version: ${{ contains( steps.pr-details.outputs.pr_body, '[x] latest-ide-version=true') }}
leeway_cache_bucket: ${{ steps.output.outputs.leeway_cache_bucket }}
pr_number: ${{ steps.pr-details.outputs.number }}
pr_body: ${{ steps.pr-details.outputs.pr_body }}
steps:
- name: "Determine Branch"
id: branches
uses: transferwise/sanitize-branch-name@v1
# Since we trigger this worklow on other event types, besides pull_request
# We use this action to help us get the pr body, as it's not included in push/workflow_dispatch events
- uses: 8BitJonny/[email protected]
id: pr-details
with:
sha: ${{ github.event.pull_request.head.sha }}
# If the PR got edited, but no checkbox changes occurred, we don't want to run the whole build
# Therefore we set a flag and use it to skip the next jobs
- name: "Check PR diff"
id: pr-diff
if: (github.event_name == 'pull_request' && github.event.action == 'edited')
env:
PR_DESC: "${{ steps.pr-details.outputs.pr_body }}"
OLD_BODY: "${{ github.event.changes.body.from }}"
run: |
if ! diff <(echo "$OLD_BODY") <(echo "$PR_DESC") | grep -e '\[x\]' -e '\[X\]'; then
echo "pr_no_diff_skip=true" >> $GITHUB_OUTPUT
fi
- name: "Set outputs"
id: output
env:
PR_DESC: "${{ steps.pr-details.outputs.pr_body }}"
MAIN_BRANCH: ${{ (github.head_ref || github.ref) == 'refs/heads/main' }}
shell: bash
run: |
{
echo "workspace_feature_flags=$(echo "$PR_DESC" | grep -oiP '(?<=\[x\] workspace-feature-flags=).*?(?=\s*$)')"
echo "with_integration_tests=$(echo "$PR_DESC" | grep -oiP '(?<=\[x\] with-integration-tests=).*?(?=\s*$)')"
echo "analytics=$(echo "$PR_DESC" | grep -oiP '(?<=\[x\] analytics=).*?(?=\s*$)')"
echo "leeway_cache_bucket=$([[ "$MAIN_BRANCH" = "true" ]] && echo "gitpod-core-leeway-cache-main" || echo "gitpod-core-leeway-cache-branch")"
} >> $GITHUB_OUTPUT
build-previewctl:
name: Build previewctl
if: |
(needs.configuration.outputs.pr_no_diff_skip != 'true') &&
(needs.configuration.outputs.preview_enable == 'true')
needs: [configuration, create-runner]
concurrency:
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-build-previewctl
cancel-in-progress: ${{ needs.configuration.outputs.is_main_branch == 'false' }}
runs-on: ${{ needs.create-runner.outputs.label }}
container:
image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:aledbf-new-dev-image-gha.13182
outputs:
previewctl_hash: ${{ steps.build.outputs.previewctl_hash }}
steps:
- uses: actions/checkout@v3
- uses: ./.github/actions/setup-environment
with:
sa_key: ${{ secrets.GCP_CREDENTIALS }}
leeway_segment_key: ${{ secrets.LEEWAY_SEGMENT_KEY }}
- name: Build previewctl
id: build
shell: bash
run: |
leeway build dev/preview/previewctl:docker -Dversion="${{needs.configuration.outputs.version}}"
echo "previewctl_hash=$(leeway describe dev/preview/previewctl:docker -Dversion="${{needs.configuration.outputs.version}}" -t '{{ .Metadata.Version }}')" >> $GITHUB_OUTPUT
infrastructure:
needs: [configuration, build-previewctl, create-runner]
if: |
(needs.configuration.outputs.pr_no_diff_skip != 'true') &&
(needs.configuration.outputs.preview_enable == 'true') &&
(needs.configuration.outputs.is_main_branch != 'true')
runs-on: ${{ needs.create-runner.outputs.label }}
concurrency:
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-infrastructure
cancel-in-progress: true
steps:
- uses: actions/checkout@v3
- name: Create preview environment infrastructure
id: create
uses: ./.github/actions/preview-create
with:
name: ${{ github.head_ref || github.ref_name }}
sa_key: ${{ secrets.GCP_CREDENTIALS }}
infrastructure_provider: ${{ needs.configuration.outputs.preview_infra_provider }}
previewctl_hash: ${{ needs.build-previewctl.outputs.previewctl_hash }}
large_vm: ${{ needs.configuration.outputs.with_large_vm }}
recreate_vm: ${{ inputs.recreate_vm }}
build-gitpod:
name: Build Gitpod
needs: [configuration, create-runner]
runs-on: ${{ needs.create-runner.outputs.label }}
concurrency:
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-build-gitpod
cancel-in-progress: ${{ needs.configuration.outputs.is_main_branch == 'false' }}
services:
mysql:
image: mysql:5.7
env:
MYSQL_ROOT_PASSWORD: test
MYSQL_TCP_PORT: 23306
ports:
- 23306:23306
container:
image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:aledbf-new-dev-image-gha.13182
env:
DB_HOST: "mysql"
DB_PORT: "23306"
steps:
- uses: actions/checkout@v3
- uses: ./.github/actions/setup-environment
with:
sa_key: ${{ secrets.GCP_CREDENTIALS }}
leeway_segment_key: ${{ secrets.LEEWAY_SEGMENT_KEY }}
- name: Leeway Vet
shell: bash
run: |
leeway vet --ignore-warnings
- name: Pre-Commit Checks
shell: bash
run: |
RESULT=0
pre-commit run --show-diff-on-failure || RESULT=$?
if [ $RESULT -ne 0 ]; then
echo "::error title=The Pre-Commit Checks Failed.::Please run 'pre-commit run --show-diff-on-failure'"
fi
exit "$RESULT"
- name: Get Secrets from GCP
id: "secrets"
uses: "google-github-actions/get-secretmanager-secrets@v1"
with:
secrets: |-
segment-io-token:gitpod-core-dev/segment-io-token
npm-auth-token:gitpod-core-dev/npm-auth-token
jb-marketplace-publish-token:gitpod-core-dev/jb-marketplace-publish-token
codecov-token:gitpod-core-dev/codecov
- name: Dev Build
id: dev-build
env:
JAVA_HOME: /home/gitpod/.sdkman/candidates/java/current
VERSION: ${{needs.configuration.outputs.version}}
shell: bash
run: |
RESULT=0
set -x
leeway build dev:all \
--docker-build-options network=host \
--cache remote \
-Dversion=$VERSION \
-DlocalAppVersion=$VERSION \
-DimageRepoBase=eu.gcr.io/gitpod-core-dev/dev \
--report large-report.html || RESULT=$?
set +x
# capture logs for the dev/image build, they're too big for GITHUB_STEP_SUMMARY
pup -p -f large-report.html '[id="dev/image:docker"] + details + details' > remove.txt
# remove logs for the dev/image build output from the report file
grep -vxFf remove.txt large-report.html > report.html
cat report.html >> $GITHUB_STEP_SUMMARY
exit $RESULT
- name: Leeway Build
id: leeway
shell: bash
env:
DB_HOST: "mysql"
DB_PORT: "23306"
NODE_OPTIONS: "--max_old_space_size=4096"
JAVA_HOME: /home/gitpod/.sdkman/candidates/java/current
VERSION: ${{needs.configuration.outputs.version}}
SEGMENT_IO_TOKEN: "${{ steps.secrets.outputs.segment-io-token }}"
PR_NO_CACHE: ${{needs.configuration.outputs.build_no_cache}}
PR_NO_TEST: ${{needs.configuration.outputs.build_no_test}}
NPM_AUTH_TOKEN: "${{ steps.secrets.outputs.npm-auth-token }}"
PUBLISH_TO_NPM: ${{ needs.configuration.outputs.publish_to_npm == 'true' || needs.configuration.outputs.is_main_branch == 'true' }}
JB_MARKETPLACE_PUBLISH_TOKEN: "${{ steps.secrets.outputs.jb-marketplace-publish-token }}"
PUBLISH_TO_JBPM: ${{ needs.configuration.outputs.publish_to_jbmp == 'true' || needs.configuration.outputs.is_main_branch == 'true' }}
CODECOV_TOKEN: "${{ steps.secrets.outputs.codecov-token }}"
run: |
[[ "$PR_NO_CACHE" = "true" ]] && CACHE="none" || CACHE="remote"
[[ "$PR_NO_TEST" = "true" ]] && TEST="--dont-test" || TEST=""
[[ "${PUBLISH_TO_NPM}" = 'true' ]] && NPM_PUBLISH_TRIGGER=$(date +%s%3N) || NPM_PUBLISH_TRIGGER="false"
RESULT=0
set -x
# CI=true is a var set by GHA. Unsetting it for the build, as yarn builds treat warnings as errors if that var is set to true
CI= leeway build \
--cache $CACHE \
$TEST \
-Dversion=$VERSION \
--docker-build-options network=host \
-DlocalAppVersion=$VERSION \
-DSEGMENT_IO_TOKEN=$SEGMENT_IO_TOKEN \
-DpublishToNPM="${PUBLISH_TO_NPM}" \
-DnpmPublishTrigger="${NPM_PUBLISH_TRIGGER}" \
-DpublishToJBMarketplace="${PUBLISH_TO_JBPM}" \
-DimageRepoBase=eu.gcr.io/gitpod-core-dev/build \
--report report.html || RESULT=$?
set +x
cat report.html >> $GITHUB_STEP_SUMMARY
SUMMARY_SIZE=$(wc -c < $GITHUB_STEP_SUMMARY)
if [[ $SUMMARY_SIZE -gt 1000000 ]]; then
head -c 1000000 $GITHUB_STEP_SUMMARY > $GITHUB_STEP_SUMMARY.tmp
mv $GITHUB_STEP_SUMMARY.tmp $GITHUB_STEP_SUMMARY
(
echo '.....'
echo ''
echo ':x: **WARNING: Summary is too large and has been truncated.**'
echo ''
) >> $GITHUB_STEP_SUMMARY
fi
exit $RESULT
- name: Tag the release
if: github.ref == 'refs/heads/main'
run: |
git config --global user.name $GITHUB_USER
git config --global user.email $GITHUB_EMAIL
git tag -a ${VERSION} -m "Release ${VERSION}"
git push origin ${VERSION}
env:
GITHUB_USER: roboquat
GITHUB_EMAIL: [email protected]
VERSION: ${{ needs.configuration.outputs.version }}
- name: Trigger release workflow in dedicated
if: github.ref == 'refs/heads/main'
run: |
curl -f -X POST \
-H "Authorization: token ${TOKEN}" \
-H "Accept: application/vnd.github.everest-preview+json" \
"https://api.github.com/repos/gitpod-io/gitpod-dedicated/dispatches" \
-d '{
"event_type": "create_release",
"client_payload": {
"env": "staging",
"release": "${{needs.configuration.outputs.version}}",
"installation_repo": "https://github.com/gitpod-io/gitpod",
"installation_commit": "${{github.sha}}"
}
}'
env:
TOKEN: ${{ secrets.GH_WORKFLOW_TRIGGER_PAT }}
install-app:
runs-on: ${{ needs.create-runner.outputs.label }}
needs: [configuration, build-gitpod, create-runner]
if: ${{ needs.configuration.outputs.is_main_branch == 'true' }}
steps:
- uses: gitpod-io/[email protected]
id: auth
with:
private-key: ${{ secrets.ACTIONS_APP_PKEY }}
app-id: 308947
installation-id: 35574470
- name: trigger installation
uses: actions/github-script@v6
with:
github-token: ${{ steps.auth.outputs.token }}
script: |
const result = await github.rest.actions.createWorkflowDispatch({
owner: context.repo.owner,
repo: 'gitpod-dedicated',
workflow_id: 'install-app.yaml',
ref: 'main',
inputs: {
"version": '${{ needs.configuration.outputs.version }}'
}
})
install:
name: "Install Gitpod"
needs:
- configuration
- build-previewctl
- build-gitpod
- infrastructure
- create-runner
runs-on: ${{ needs.create-runner.outputs.label }}
concurrency:
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-install
cancel-in-progress: ${{ needs.configuration.outputs.is_main_branch == 'false' }}
steps:
- uses: actions/checkout@v3
- name: Deploy Gitpod to the preview environment
id: deploy-gitpod
uses: ./.github/actions/deploy-gitpod
with:
name: ${{ github.head_ref || github.ref_name }}
version: ${{needs.configuration.outputs.version}}
sa_key: ${{ secrets.GCP_CREDENTIALS }}
previewctl_hash: ${{ needs.build-previewctl.outputs.previewctl_hash }}
with_dedicated_emu: ${{needs.configuration.outputs.with_dedicated_emulation}}
analytics: ${{needs.configuration.outputs.analytics}}
workspace_feature_flags: ${{needs.configuration.outputs.workspace_feature_flags}}
- uses: actions/github-script@v6
if: needs.configuration.outputs.pr_number != '' && contains(needs.configuration.outputs.pr_body, 'gitpod:summary')
with:
script: |
const prNumber = ${{ needs.configuration.outputs.pr_number }};
const summaryEncoded = `${{ steps.deploy-gitpod.outputs.report }}`;
const summary = Buffer.from(summaryEncoded, 'base64').toString('utf8');
const { data: pr } = await github.rest.pulls.get({
...context.repo,
pull_number: prNumber,
});
const prBody = pr.body;
const newBody = prBody.replace('gitpod:summary', summary);
await github.rest.pulls.update({
...context.repo,
pull_number: prNumber,
body: newBody,
});
monitoring:
name: "Install Monitoring Satellite"
needs: [infrastructure, build-previewctl, create-runner]
runs-on: ${{ needs.create-runner.outputs.label }}
if: needs.configuration.outputs.with_monitoring == 'true'
concurrency:
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-monitoring
cancel-in-progress: true
steps:
- uses: actions/checkout@v3
- name: Deploy monitoring satellite to the preview environment
id: deploy-monitoring-satellite
uses: ./.github/actions/deploy-monitoring-satellite
with:
sa_key: ${{ secrets.GCP_CREDENTIALS }}
previewctl_hash: ${{ needs.build-previewctl.outputs.previewctl_hash }}
integration-test:
name: "Run integration test"
needs:
- configuration
- build-previewctl
- build-gitpod
- infrastructure
- install
- create-runner
runs-on: ${{ needs.create-runner.outputs.label }}
container:
image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:aledbf-new-dev-image-gha.13182
if: needs.configuration.outputs.with_integration_tests != ''
concurrency:
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-integration-test
cancel-in-progress: true
steps:
- uses: actions/checkout@v3
- uses: ./.github/actions/setup-environment
with:
sa_key: ${{ secrets.GCP_CREDENTIALS }}
leeway_segment_key: ${{ secrets.LEEWAY_SEGMENT_KEY }}
- name: Run integration test
shell: bash
env:
ROBOQUAT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
INTEGRATION_TEST_USERNAME: ${{ secrets.IDE_INTEGRATION_TEST_USERNAME }}
INTEGRATION_TEST_USER_TOKEN: ${{ secrets.IDE_INTEGRATION_TEST_USER_TOKEN }}
PREVIEW_NAME: ${{ github.head_ref || github.ref_name }}
TEST_SUITS: ${{ needs.configuration.outputs.with_integration_tests }}
TEST_USE_LATEST_VERSION: ${{ needs.configuration.outputs.latest_ide_version }}
TEST_BUILD_ID: ${{ github.run_id }}
TEST_BUILD_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
TEST_BUILD_REF: ${{ github.head_ref || github.ref }}
run: |
leeway run dev/preview/previewctl:install
echo "Setting up access to core-dev and harvester"
previewctl get-credentials --gcp-service-account "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
previewctl install-context --branch "${PREVIEW_NAME}" --log-level debug --timeout 1m --gcp-service-account "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
$GITHUB_WORKSPACE/test/run.sh -s ${TEST_SUITS}
delete-runner:
if: always()
needs:
- create-runner
- configuration
- build-previewctl
- infrastructure
- build-gitpod
- install-app
- install
- monitoring
- integration-test
uses: ./.github/workflows/remove_runner.yml
secrets: inherit
with:
runner-label: ${{ needs.create-runner.outputs.label }}
concurrency:
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-delete-runner
cancel-in-progress: false