Pushing Develop Code to Master Branch. (non release repo) #50
Conversation
[MOSIP-29854] Creating dockerfile for dbvaluefinder script
Signed-off-by: Mahesh-Binayak <[email protected]>
[MOSIP-29854]Adding databreachdetector
Signed-off-by: VSIVAKALYAN <[email protected]>
Added docker build job
Revert "Added docker build job"
Signed-off-by: Rakshithb1 <[email protected]>
Signed-off-by: Rakshithb1 <[email protected]>
[MOSIP-32607]
Signed-off-by: Rakshithb1 <[email protected]>
[MOSIP-32607] updated host
Signed-off-by: Rakshithb1 <[email protected]>
[MOSIP-32607]
Signed-off-by: Rakshithb1 <[email protected]>
[MOSIP-32607] corrected helm path
Signed-off-by: Rakshithb1 <[email protected]>
[MOSIP-32607]
Signed-off-by: Rakshithb1 <[email protected]>
[MOSIP-32607] added values.yaml in install.sh
Signed-off-by: Rakshithb1 <[email protected]>
Signed-off-by: Rakshithb1 <[email protected]>
[MOSIP-32607] updated values.yaml
Signed-off-by: Rakshithb1 <[email protected]>
MOSIP-32607
Signed-off-by: Mahesh.Binayak <[email protected]>
[MOSIP-32607] added README.md
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| uses: mosip/kattu/.github/workflows/chart-lint-publish.yml@master | ||
| with: | ||
| CHARTS_DIR: ./helm | ||
| CHARTS_URL: https://mosip.github.io/mosip-helm | ||
| REPOSITORY: mosip-helm | ||
| BRANCH: gh-pages | ||
| INCLUDE_ALL_CHARTS: "${{ inputs.INCLUDE_ALL_CHARTS || 'NO' }}" | ||
| IGNORE_CHARTS: "${{ inputs.IGNORE_CHARTS || '\"\"' }}" | ||
| CHART_PUBLISH: "${{ inputs.CHART_PUBLISH || 'YES' }}" | ||
| LINTING_CHART_SCHEMA_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/chart-schema.yaml" | ||
| LINTING_LINTCONF_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/lintconf.yaml" | ||
| LINTING_CHART_TESTING_CONFIG_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/chart-testing-config.yaml" | ||
| LINTING_HEALTH_CHECK_SCHEMA_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/health-check-schema.yaml" | ||
| secrets: | ||
| TOKEN: ${{ secrets.ACTION_PAT }} | ||
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the problem, add an explicit permissions: block to the workflow, specifying the minimal set of privileges required. Since the job involves validating and potentially publishing helm charts (and possibly pushing to branches or updating PRs), at minimum it will require contents: read (for reading/writing to code and branches) and possibly additional permissions such as pages: write or pull-requests: write if those operations are required. As a safe default and per best practices, set permissions: at the top level of the workflow file to apply to all jobs unless overridden. If you know more specifically which permissions are required by the job, restrict to only those; for example, if only pushing to branches is required, contents: write is sufficient.
The actual edit is to add the following block near the top-level of the file (below name: but before on: or before jobs:):
permissions:
contents: writeThis grants only write access to repository contents for the workflow, allowing publishing and validation activities. If you know that only read access is needed, use contents: read. If additional permissions are needed, add them explicitly.
| @@ -1,4 +1,6 @@ | ||
| name: Validate / Publish helm charts | ||
| permissions: | ||
| contents: write | ||
|
|
||
| on: | ||
| release: |
| strategy: | ||
| matrix: | ||
| include: | ||
| - SERVICE_LOCATION: 'databreachdetector' | ||
| SERVICE_NAME: 'databreachdetector' | ||
| - SERVICE_LOCATION: 'certmanager' | ||
| SERVICE_NAME: 'certmanager' | ||
| fail-fast: false | ||
| name: ${{ matrix.SERVICE_NAME }} | ||
| uses: mosip/kattu/.github/workflows/docker-build.yml@master | ||
| with: | ||
| SERVICE_LOCATION: ${{ matrix.SERVICE_LOCATION }} | ||
| SERVICE_NAME: ${{ matrix.SERVICE_NAME }} | ||
| secrets: | ||
| DEV_NAMESPACE_DOCKER_HUB: ${{ secrets.DEV_NAMESPACE_DOCKER_HUB }} | ||
| ACTOR_DOCKER_HUB: ${{ secrets.ACTOR_DOCKER_HUB }} | ||
| RELEASE_DOCKER_HUB: ${{ secrets.RELEASE_DOCKER_HUB }} | ||
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_DEVOPS }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix the problem, we should add an explicit permissions: key at the workflow root, above the jobs: key, unless specific jobs need unique sets of permissions, in which case those can be set at job level. As a minimal, safe default, we should use permissions: contents: read at the root, granting the workflow read-only access to repository contents, which suffices for most CI/CD pipelines unless they specifically need to create issues, update pull requests, etc. If the workflow, or any actions it calls, require additional privileges (such as pull-requests: write), these can be added as needed, but as a baseline, adding permissions: contents: read at the root is the best fix with minimal change.
So, in .github/workflows/push-trigger.yml, insert the following between line 2 and 3:
permissions:
contents: readNo imports, definitions, etc. are needed; just add the permissions block to the YAML file.
| @@ -1,5 +1,7 @@ | ||
| name: Building Security Tools | ||
|
|
||
| permissions: | ||
| contents: read | ||
| on: | ||
| release: | ||
| types: [published] |
| name: maven-sonar-analysis | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up JDK 21 | ||
| uses: actions/setup-java@v4 | ||
| with: | ||
| java-version: 21 | ||
| distribution: 'temurin' | ||
|
|
||
| - name: Cache SonarCloud packages | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: ~/.sonar/cache | ||
| key: ${{ runner.os }}-sonar | ||
| restore-keys: ${{ runner.os }}-sonar | ||
|
|
||
| - name: Cache Maven packages | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: ~/.m2 | ||
| key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} | ||
| restore-keys: ${{ runner.os }}-m2 | ||
|
|
||
| - name: Run SonarCloud analysis | ||
| env: | ||
| SONAR_TOKEN: f4e496ee8ddc6661404844949201593f56078e94 | ||
| run: | | ||
| mvn -B verify sonar:sonar -Dsonar.projectKey=mosip_security-tools -Dsonar.organization=mosip -Dsonar.host.url=https://sonarcloud.io -DskipSigning=true |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the issue, add a permissions block to the job definition at .github/workflows/sonar-check.yml under the sonar_analysis job (line 10). The minimal recommended permission for most CI analysis workflows is contents: read, which allows the job to read source code but not to push, modify, or delete repository content. As none of the steps in this job require write permissions to repository contents, using contents: read is the most secure and appropriate setting.
Change summary:
- Insert a
permissions:block (withcontents: read) belowname: maven-sonar-analysis(line 10) and aboveruns-on: ubuntu-latest(line 11).
| @@ -8,6 +8,8 @@ | ||
| jobs: | ||
| sonar_analysis: | ||
| name: maven-sonar-analysis | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: |
Signed-off-by: Mahesh.Binayak <[email protected]>
Signed-off-by: Mahesh.Binayak <[email protected]>
Signed-off-by: Mahesh.Binayak <[email protected]>
Signed-off-by: Mahesh.Binayak <[email protected]>
[MOSIP-43032] added auditsweeper tool along with its helm charts.
Signed-off-by: Mahesh.Binayak <[email protected]>
[MOSIP-43032] Updated auditsweeper.py
…figmaps Signed-off-by: Mahesh.Binayak <[email protected]>
[MOSIP-43032] Updated auditsweeper's permissions ,image names and configmaps.
No description provided.