[Snyk] Security upgrade ws from 7.5.6 to 8.17.1 #46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | |
on: | |
pull_request: | |
types: [opened, edited] | |
push: | |
workflow_dispatch: | |
inputs: | |
recreate_vm: | |
required: true | |
type: string | |
description: "Whether to recreate the VM" | |
default: "false" | |
jobs: | |
create-runner: | |
uses: ./.github/workflows/create_runner.yml | |
secrets: inherit | |
concurrency: | |
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-create-runner | |
cancel-in-progress: false | |
configuration: | |
name: Configure job parameters | |
runs-on: ${{ needs.create-runner.outputs.label }} | |
needs: [create-runner] | |
concurrency: | |
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-configuration | |
cancel-in-progress: true | |
outputs: | |
is_main_branch: ${{ (github.head_ref || github.ref) == 'refs/heads/main' }} | |
version: ${{ steps.branches.outputs.sanitized-branch-name }}-gha.${{github.run_number}} | |
preview_enable: ${{ contains( steps.pr-details.outputs.pr_body, '[x] /werft with-preview') }} | |
preview_infra_provider: ${{ contains( steps.pr-details.outputs.pr_body, '[x] /werft with-gce-vm') && 'gce' || 'harvester' }} | |
build_no_cache: ${{ contains( steps.pr-details.outputs.pr_body, '[x] leeway-no-cache') }} | |
build_no_test: ${{ contains( steps.pr-details.outputs.pr_body, '[x] /werft no-test') }} | |
with_large_vm: ${{ contains( steps.pr-details.outputs.pr_body, '[X] /werft with-large-vm') }} | |
publish_to_npm: ${{ contains( steps.pr-details.outputs.pr_body, '[X] /werft publish-to-npm') }} | |
publish_to_jbmp: ${{ contains( steps.pr-details.outputs.pr_body, '[X] /werft publish-to-jb-marketplace') }} | |
with_dedicated_emulation: ${{ contains( steps.pr-details.outputs.pr_body, '[X] with-dedicated-emulation') }} | |
analytics: ${{ steps.output.outputs.analytics }} | |
workspace_feature_flags: ${{ steps.output.outputs.workspace_feature_flags }} | |
pr_no_diff_skip: ${{ steps.pr-diff.outputs.pr_no_diff_skip }} | |
with_werft: ${{ steps.output.outputs.with-werft }} | |
with_integration_tests: ${{ steps.output.outputs.with_integration_tests }} | |
with_monitoring: ${{ contains( steps.pr-details.outputs.pr_body, '[x] with-monitoring') }} | |
latest_ide_version: ${{ contains( steps.pr-details.outputs.pr_body, '[x] latest-ide-version=true') }} | |
leeway_cache_bucket: ${{ steps.output.outputs.leeway_cache_bucket }} | |
pr_number: ${{ steps.pr-details.outputs.number }} | |
pr_body: ${{ steps.pr-details.outputs.pr_body }} | |
steps: | |
- name: "Determine Branch" | |
id: branches | |
uses: transferwise/sanitize-branch-name@v1 | |
# Since we trigger this worklow on other event types, besides pull_request | |
# We use this action to help us get the pr body, as it's not included in push/workflow_dispatch events | |
- uses: 8BitJonny/[email protected] | |
id: pr-details | |
with: | |
sha: ${{ github.event.pull_request.head.sha }} | |
# If the PR got edited, but no checkbox changes occurred, we don't want to run the whole build | |
# Therefore we set a flag and use it to skip the next jobs | |
- name: "Check PR diff" | |
id: pr-diff | |
if: (github.event_name == 'pull_request' && github.event.action == 'edited') | |
env: | |
PR_DESC: "${{ steps.pr-details.outputs.pr_body }}" | |
OLD_BODY: "${{ github.event.changes.body.from }}" | |
run: | | |
if ! diff <(echo "$OLD_BODY") <(echo "$PR_DESC") | grep -e '\[x\]' -e '\[X\]'; then | |
echo "pr_no_diff_skip=true" >> $GITHUB_OUTPUT | |
fi | |
- name: "Set outputs" | |
id: output | |
env: | |
PR_DESC: "${{ steps.pr-details.outputs.pr_body }}" | |
MAIN_BRANCH: ${{ (github.head_ref || github.ref) == 'refs/heads/main' }} | |
shell: bash | |
run: | | |
{ | |
echo "workspace_feature_flags=$(echo "$PR_DESC" | grep -oiP '(?<=\[x\] workspace-feature-flags=).*?(?=\s*$)')" | |
echo "with_integration_tests=$(echo "$PR_DESC" | grep -oiP '(?<=\[x\] with-integration-tests=).*?(?=\s*$)')" | |
echo "analytics=$(echo "$PR_DESC" | grep -oiP '(?<=\[x\] analytics=).*?(?=\s*$)')" | |
echo "leeway_cache_bucket=$([[ "$MAIN_BRANCH" = "true" ]] && echo "gitpod-core-leeway-cache-main" || echo "gitpod-core-leeway-cache-branch")" | |
} >> $GITHUB_OUTPUT | |
build-previewctl: | |
name: Build previewctl | |
if: | | |
(needs.configuration.outputs.pr_no_diff_skip != 'true') && | |
(needs.configuration.outputs.preview_enable == 'true') | |
needs: [configuration, create-runner] | |
concurrency: | |
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-build-previewctl | |
cancel-in-progress: ${{ needs.configuration.outputs.is_main_branch == 'false' }} | |
runs-on: ${{ needs.create-runner.outputs.label }} | |
container: | |
image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:aledbf-new-dev-image-gha.13182 | |
outputs: | |
previewctl_hash: ${{ steps.build.outputs.previewctl_hash }} | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: ./.github/actions/setup-environment | |
with: | |
sa_key: ${{ secrets.GCP_CREDENTIALS }} | |
leeway_segment_key: ${{ secrets.LEEWAY_SEGMENT_KEY }} | |
- name: Build previewctl | |
id: build | |
shell: bash | |
run: | | |
leeway build dev/preview/previewctl:docker -Dversion="${{needs.configuration.outputs.version}}" | |
echo "previewctl_hash=$(leeway describe dev/preview/previewctl:docker -Dversion="${{needs.configuration.outputs.version}}" -t '{{ .Metadata.Version }}')" >> $GITHUB_OUTPUT | |
infrastructure: | |
needs: [configuration, build-previewctl, create-runner] | |
if: | | |
(needs.configuration.outputs.pr_no_diff_skip != 'true') && | |
(needs.configuration.outputs.preview_enable == 'true') && | |
(needs.configuration.outputs.is_main_branch != 'true') | |
runs-on: ${{ needs.create-runner.outputs.label }} | |
concurrency: | |
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-infrastructure | |
cancel-in-progress: true | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Create preview environment infrastructure | |
id: create | |
uses: ./.github/actions/preview-create | |
with: | |
name: ${{ github.head_ref || github.ref_name }} | |
sa_key: ${{ secrets.GCP_CREDENTIALS }} | |
infrastructure_provider: ${{ needs.configuration.outputs.preview_infra_provider }} | |
previewctl_hash: ${{ needs.build-previewctl.outputs.previewctl_hash }} | |
large_vm: ${{ needs.configuration.outputs.with_large_vm }} | |
recreate_vm: ${{ inputs.recreate_vm }} | |
build-gitpod: | |
name: Build Gitpod | |
needs: [configuration, create-runner] | |
runs-on: ${{ needs.create-runner.outputs.label }} | |
concurrency: | |
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-build-gitpod | |
cancel-in-progress: ${{ needs.configuration.outputs.is_main_branch == 'false' }} | |
services: | |
mysql: | |
image: mysql:5.7 | |
env: | |
MYSQL_ROOT_PASSWORD: test | |
MYSQL_TCP_PORT: 23306 | |
ports: | |
- 23306:23306 | |
container: | |
image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:aledbf-new-dev-image-gha.13182 | |
env: | |
DB_HOST: "mysql" | |
DB_PORT: "23306" | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: ./.github/actions/setup-environment | |
with: | |
sa_key: ${{ secrets.GCP_CREDENTIALS }} | |
leeway_segment_key: ${{ secrets.LEEWAY_SEGMENT_KEY }} | |
- name: Leeway Vet | |
shell: bash | |
run: | | |
leeway vet --ignore-warnings | |
- name: Pre-Commit Checks | |
shell: bash | |
run: | | |
RESULT=0 | |
pre-commit run --show-diff-on-failure || RESULT=$? | |
if [ $RESULT -ne 0 ]; then | |
echo "::error title=The Pre-Commit Checks Failed.::Please run 'pre-commit run --show-diff-on-failure'" | |
fi | |
exit "$RESULT" | |
- name: Get Secrets from GCP | |
id: "secrets" | |
uses: "google-github-actions/get-secretmanager-secrets@v1" | |
with: | |
secrets: |- | |
segment-io-token:gitpod-core-dev/segment-io-token | |
npm-auth-token:gitpod-core-dev/npm-auth-token | |
jb-marketplace-publish-token:gitpod-core-dev/jb-marketplace-publish-token | |
codecov-token:gitpod-core-dev/codecov | |
- name: Dev Build | |
id: dev-build | |
env: | |
JAVA_HOME: /home/gitpod/.sdkman/candidates/java/current | |
VERSION: ${{needs.configuration.outputs.version}} | |
shell: bash | |
run: | | |
RESULT=0 | |
set -x | |
leeway build dev:all \ | |
--docker-build-options network=host \ | |
--cache remote \ | |
-Dversion=$VERSION \ | |
-DlocalAppVersion=$VERSION \ | |
-DimageRepoBase=eu.gcr.io/gitpod-core-dev/dev \ | |
--report large-report.html || RESULT=$? | |
set +x | |
# capture logs for the dev/image build, they're too big for GITHUB_STEP_SUMMARY | |
pup -p -f large-report.html '[id="dev/image:docker"] + details + details' > remove.txt | |
# remove logs for the dev/image build output from the report file | |
grep -vxFf remove.txt large-report.html > report.html | |
cat report.html >> $GITHUB_STEP_SUMMARY | |
exit $RESULT | |
- name: Leeway Build | |
id: leeway | |
shell: bash | |
env: | |
DB_HOST: "mysql" | |
DB_PORT: "23306" | |
NODE_OPTIONS: "--max_old_space_size=4096" | |
JAVA_HOME: /home/gitpod/.sdkman/candidates/java/current | |
VERSION: ${{needs.configuration.outputs.version}} | |
SEGMENT_IO_TOKEN: "${{ steps.secrets.outputs.segment-io-token }}" | |
PR_NO_CACHE: ${{needs.configuration.outputs.build_no_cache}} | |
PR_NO_TEST: ${{needs.configuration.outputs.build_no_test}} | |
NPM_AUTH_TOKEN: "${{ steps.secrets.outputs.npm-auth-token }}" | |
PUBLISH_TO_NPM: ${{ needs.configuration.outputs.publish_to_npm == 'true' || needs.configuration.outputs.is_main_branch == 'true' }} | |
JB_MARKETPLACE_PUBLISH_TOKEN: "${{ steps.secrets.outputs.jb-marketplace-publish-token }}" | |
PUBLISH_TO_JBPM: ${{ needs.configuration.outputs.publish_to_jbmp == 'true' || needs.configuration.outputs.is_main_branch == 'true' }} | |
CODECOV_TOKEN: "${{ steps.secrets.outputs.codecov-token }}" | |
run: | | |
[[ "$PR_NO_CACHE" = "true" ]] && CACHE="none" || CACHE="remote" | |
[[ "$PR_NO_TEST" = "true" ]] && TEST="--dont-test" || TEST="" | |
[[ "${PUBLISH_TO_NPM}" = 'true' ]] && NPM_PUBLISH_TRIGGER=$(date +%s%3N) || NPM_PUBLISH_TRIGGER="false" | |
RESULT=0 | |
set -x | |
# CI=true is a var set by GHA. Unsetting it for the build, as yarn builds treat warnings as errors if that var is set to true | |
CI= leeway build \ | |
--cache $CACHE \ | |
$TEST \ | |
-Dversion=$VERSION \ | |
--docker-build-options network=host \ | |
-DlocalAppVersion=$VERSION \ | |
-DSEGMENT_IO_TOKEN=$SEGMENT_IO_TOKEN \ | |
-DpublishToNPM="${PUBLISH_TO_NPM}" \ | |
-DnpmPublishTrigger="${NPM_PUBLISH_TRIGGER}" \ | |
-DpublishToJBMarketplace="${PUBLISH_TO_JBPM}" \ | |
-DimageRepoBase=eu.gcr.io/gitpod-core-dev/build \ | |
--report report.html || RESULT=$? | |
set +x | |
cat report.html >> $GITHUB_STEP_SUMMARY | |
SUMMARY_SIZE=$(wc -c < $GITHUB_STEP_SUMMARY) | |
if [[ $SUMMARY_SIZE -gt 1000000 ]]; then | |
head -c 1000000 $GITHUB_STEP_SUMMARY > $GITHUB_STEP_SUMMARY.tmp | |
mv $GITHUB_STEP_SUMMARY.tmp $GITHUB_STEP_SUMMARY | |
( | |
echo '.....' | |
echo '' | |
echo ':x: **WARNING: Summary is too large and has been truncated.**' | |
echo '' | |
) >> $GITHUB_STEP_SUMMARY | |
fi | |
exit $RESULT | |
- name: Tag the release | |
if: github.ref == 'refs/heads/main' | |
run: | | |
git config --global user.name $GITHUB_USER | |
git config --global user.email $GITHUB_EMAIL | |
git tag -a ${VERSION} -m "Release ${VERSION}" | |
git push origin ${VERSION} | |
env: | |
GITHUB_USER: roboquat | |
GITHUB_EMAIL: [email protected] | |
VERSION: ${{ needs.configuration.outputs.version }} | |
- name: Trigger release workflow in dedicated | |
if: github.ref == 'refs/heads/main' | |
run: | | |
curl -f -X POST \ | |
-H "Authorization: token ${TOKEN}" \ | |
-H "Accept: application/vnd.github.everest-preview+json" \ | |
"https://api.github.com/repos/gitpod-io/gitpod-dedicated/dispatches" \ | |
-d '{ | |
"event_type": "create_release", | |
"client_payload": { | |
"env": "staging", | |
"release": "${{needs.configuration.outputs.version}}", | |
"installation_repo": "https://github.com/gitpod-io/gitpod", | |
"installation_commit": "${{github.sha}}" | |
} | |
}' | |
env: | |
TOKEN: ${{ secrets.GH_WORKFLOW_TRIGGER_PAT }} | |
install-app: | |
runs-on: ${{ needs.create-runner.outputs.label }} | |
needs: [configuration, build-gitpod, create-runner] | |
if: ${{ needs.configuration.outputs.is_main_branch == 'true' }} | |
steps: | |
- uses: gitpod-io/[email protected] | |
id: auth | |
with: | |
private-key: ${{ secrets.ACTIONS_APP_PKEY }} | |
app-id: 308947 | |
installation-id: 35574470 | |
- name: trigger installation | |
uses: actions/github-script@v6 | |
with: | |
github-token: ${{ steps.auth.outputs.token }} | |
script: | | |
const result = await github.rest.actions.createWorkflowDispatch({ | |
owner: context.repo.owner, | |
repo: 'gitpod-dedicated', | |
workflow_id: 'install-app.yaml', | |
ref: 'main', | |
inputs: { | |
"version": '${{ needs.configuration.outputs.version }}' | |
} | |
}) | |
install: | |
name: "Install Gitpod" | |
needs: | |
- configuration | |
- build-previewctl | |
- build-gitpod | |
- infrastructure | |
- create-runner | |
runs-on: ${{ needs.create-runner.outputs.label }} | |
concurrency: | |
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-install | |
cancel-in-progress: ${{ needs.configuration.outputs.is_main_branch == 'false' }} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Deploy Gitpod to the preview environment | |
id: deploy-gitpod | |
uses: ./.github/actions/deploy-gitpod | |
with: | |
name: ${{ github.head_ref || github.ref_name }} | |
version: ${{needs.configuration.outputs.version}} | |
sa_key: ${{ secrets.GCP_CREDENTIALS }} | |
previewctl_hash: ${{ needs.build-previewctl.outputs.previewctl_hash }} | |
with_dedicated_emu: ${{needs.configuration.outputs.with_dedicated_emulation}} | |
analytics: ${{needs.configuration.outputs.analytics}} | |
workspace_feature_flags: ${{needs.configuration.outputs.workspace_feature_flags}} | |
- uses: actions/github-script@v6 | |
if: needs.configuration.outputs.pr_number != '' && contains(needs.configuration.outputs.pr_body, 'gitpod:summary') | |
with: | |
script: | | |
const prNumber = ${{ needs.configuration.outputs.pr_number }}; | |
const summaryEncoded = `${{ steps.deploy-gitpod.outputs.report }}`; | |
const summary = Buffer.from(summaryEncoded, 'base64').toString('utf8'); | |
const { data: pr } = await github.rest.pulls.get({ | |
...context.repo, | |
pull_number: prNumber, | |
}); | |
const prBody = pr.body; | |
const newBody = prBody.replace('gitpod:summary', summary); | |
await github.rest.pulls.update({ | |
...context.repo, | |
pull_number: prNumber, | |
body: newBody, | |
}); | |
monitoring: | |
name: "Install Monitoring Satellite" | |
needs: [infrastructure, build-previewctl, create-runner] | |
runs-on: ${{ needs.create-runner.outputs.label }} | |
if: needs.configuration.outputs.with_monitoring == 'true' | |
concurrency: | |
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-monitoring | |
cancel-in-progress: true | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Deploy monitoring satellite to the preview environment | |
id: deploy-monitoring-satellite | |
uses: ./.github/actions/deploy-monitoring-satellite | |
with: | |
sa_key: ${{ secrets.GCP_CREDENTIALS }} | |
previewctl_hash: ${{ needs.build-previewctl.outputs.previewctl_hash }} | |
integration-test: | |
name: "Run integration test" | |
needs: | |
- configuration | |
- build-previewctl | |
- build-gitpod | |
- infrastructure | |
- install | |
- create-runner | |
runs-on: ${{ needs.create-runner.outputs.label }} | |
container: | |
image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:aledbf-new-dev-image-gha.13182 | |
if: needs.configuration.outputs.with_integration_tests != '' | |
concurrency: | |
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-integration-test | |
cancel-in-progress: true | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: ./.github/actions/setup-environment | |
with: | |
sa_key: ${{ secrets.GCP_CREDENTIALS }} | |
leeway_segment_key: ${{ secrets.LEEWAY_SEGMENT_KEY }} | |
- name: Run integration test | |
shell: bash | |
env: | |
ROBOQUAT_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
INTEGRATION_TEST_USERNAME: ${{ secrets.IDE_INTEGRATION_TEST_USERNAME }} | |
INTEGRATION_TEST_USER_TOKEN: ${{ secrets.IDE_INTEGRATION_TEST_USER_TOKEN }} | |
PREVIEW_NAME: ${{ github.head_ref || github.ref_name }} | |
TEST_SUITS: ${{ needs.configuration.outputs.with_integration_tests }} | |
TEST_USE_LATEST_VERSION: ${{ needs.configuration.outputs.latest_ide_version }} | |
TEST_BUILD_ID: ${{ github.run_id }} | |
TEST_BUILD_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
TEST_BUILD_REF: ${{ github.head_ref || github.ref }} | |
run: | | |
leeway run dev/preview/previewctl:install | |
echo "Setting up access to core-dev and harvester" | |
previewctl get-credentials --gcp-service-account "${PREVIEW_ENV_DEV_SA_KEY_PATH}" | |
previewctl install-context --branch "${PREVIEW_NAME}" --log-level debug --timeout 1m --gcp-service-account "${PREVIEW_ENV_DEV_SA_KEY_PATH}" | |
$GITHUB_WORKSPACE/test/run.sh -s ${TEST_SUITS} | |
delete-runner: | |
if: always() | |
needs: | |
- create-runner | |
- configuration | |
- build-previewctl | |
- infrastructure | |
- build-gitpod | |
- install-app | |
- install | |
- monitoring | |
- integration-test | |
uses: ./.github/workflows/remove_runner.yml | |
secrets: inherit | |
with: | |
runner-label: ${{ needs.create-runner.outputs.label }} | |
concurrency: | |
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-delete-runner | |
cancel-in-progress: false |