From ed6824930d993b45c55bd22b1bb78433ff97f781 Mon Sep 17 00:00:00 2001 From: Mythri Garaga Manjunatha Date: Fri, 2 Sep 2022 08:59:03 -0700 Subject: [PATCH] add codeowners file; update token permission to read only for workflow and validate GO_VERSION is of the correct format and length --- .github/CODEOWNERS | 6 +++++ .github/workflows/gitsecrets.yml | 1 + .github/workflows/linux.yml | 15 +++++++++-- .github/workflows/static.yml | 43 +++++++++++++++++++++++++++----- .github/workflows/windows.yml | 13 ++++++++-- 5 files changed, 68 insertions(+), 10 deletions(-) create mode 100644 .github/CODEOWNERS diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 00000000000..70f73c2b060 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,6 @@ +# https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners + +# These owners will be the default owners for everything in +# the repo. Unless a later match takes precedence, these accounts +# will be requested for review when someone opens a pull request. +* @aws/aws-ecs-agent diff --git a/.github/workflows/gitsecrets.yml b/.github/workflows/gitsecrets.yml index f01997d9c8c..6e151327525 100644 --- a/.github/workflows/gitsecrets.yml +++ b/.github/workflows/gitsecrets.yml @@ -2,6 +2,7 @@ name: GitSecretsScan on: [push, pull_request] +permissions: read-all jobs: git-secret-check: name: Git Secrets Scan diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 62941cb32f4..13efe56a20f 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -2,6 +2,7 @@ name: Linux on: [pull_request] +permissions: read-all jobs: unit-tests: name: Linux unit tests @@ -11,12 +12,22 @@ jobs: with: path: src/github.com/aws/amazon-ecs-agent - name: get GO_VERSION + id: get-go-version run: | cd $GITHUB_WORKSPACE/src/github.com/aws/amazon-ecs-agent - echo "GO_VERSION=$(cat GO_VERSION)" >> $GITHUB_ENV + set -eou pipefail + go_version=$(cat -e GO_VERSION) + go_version=${go_version%?} + go_version_length=${#go_version} + go_version_re="^([0-9]+\.){1,2}([0-9]+)$" + if ! [[ $go_version_length -le 10 && $go_version =~ $go_version_re ]] ; then + echo "invalid GO version" + exit 1 + fi + echo "::set-output name=GO_VERSION::$go_version" - uses: actions/setup-go@v2 with: - go-version: ${{ env.GO_VERSION }} + go-version: ${{ steps.get-go-version.outputs.GO_VERSION }} - uses: actions/checkout@v2 with: submodules: true diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index 776e47a68cb..497eee78a38 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -2,6 +2,7 @@ name: Static Checks on: [push, pull_request] +permissions: read-all jobs: static-check: name: Static Analysis @@ -11,12 +12,22 @@ jobs: with: path: src/github.com/aws/amazon-ecs-agent - name: get GO_VERSION + id: get-go-version run: | cd $GITHUB_WORKSPACE/src/github.com/aws/amazon-ecs-agent - echo "GO_VERSION=$(cat GO_VERSION)" >> $GITHUB_ENV + set -eou pipefail + go_version=$(cat -e GO_VERSION) + go_version=${go_version%?} + go_version_length=${#go_version} + go_version_re="^([0-9]+\.){1,2}([0-9]+)$" + if ! [[ $go_version_length -le 10 && $go_version =~ $go_version_re ]] ; then + echo "invalid GO version" + exit 1 + fi + echo "::set-output name=GO_VERSION::$go_version" - uses: actions/setup-go@v2 with: - go-version: ${{ env.GO_VERSION }} + go-version: ${{ steps.get-go-version.outputs.GO_VERSION }} - uses: actions/checkout@v2 with: path: src/github.com/aws/amazon-ecs-agent @@ -37,12 +48,22 @@ jobs: with: path: src/github.com/aws/amazon-ecs-agent - name: get GO_VERSION + id: get-go-version run: | cd $GITHUB_WORKSPACE/src/github.com/aws/amazon-ecs-agent - echo "GO_VERSION=$(cat GO_VERSION)" >> $GITHUB_ENV + set -eou pipefail + go_version=$(cat -e GO_VERSION) + go_version=${go_version%?} + go_version_length=${#go_version} + go_version_re="^([0-9]+\.){1,2}([0-9]+)$" + if ! [[ $go_version_length -le 10 && $go_version =~ $go_version_re ]] ; then + echo "invalid GO version" + exit 1 + fi + echo "::set-output name=GO_VERSION::$go_version" - uses: actions/setup-go@v2 with: - go-version: ${{ env.GO_VERSION }} + go-version: ${{ steps.get-go-version.outputs.GO_VERSION }} - uses: actions/checkout@v2 with: path: src/github.com/aws/amazon-ecs-agent @@ -63,12 +84,22 @@ jobs: with: path: src/github.com/aws/amazon-ecs-agent - name: get GO_VERSION + id: get-go-version run: | cd $GITHUB_WORKSPACE/src/github.com/aws/amazon-ecs-agent - echo "GO_VERSION=$(cat GO_VERSION)" >> $GITHUB_ENV + set -eou pipefail + go_version=$(cat -e GO_VERSION) + go_version=${go_version%?} + go_version_length=${#go_version} + go_version_re="^([0-9]+\.){1,2}([0-9]+)$" + if ! [[ $go_version_length -le 10 && $go_version =~ $go_version_re ]] ; then + echo "invalid GO version" + exit 1 + fi + echo "::set-output name=GO_VERSION::$go_version" - uses: actions/setup-go@v2 with: - go-version: ${{ env.GO_VERSION }} + go-version: ${{ steps.get-go-version.outputs.GO_VERSION }} - uses: actions/checkout@v2 with: submodules: true diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 5f96bef035e..a1911b212d5 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -2,6 +2,7 @@ name: Windows on: [pull_request] +permissions: read-all jobs: windows-unit-tests: name: Windows unit tests @@ -11,13 +12,21 @@ jobs: with: path: src/github.com/aws/amazon-ecs-agent - name: get GO_VERSION + id: get-go-version run: | cd "$Env:GITHUB_WORKSPACE" cd "src/github.com/aws/amazon-ecs-agent" - echo "GO_VERSION_WINDOWS=$(type GO_VERSION_WINDOWS)" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append + $ErrorActionPreference = "Stop" + $go_version_win = $(type GO_VERSION_WINDOWS) + $go_version_re = "^\d+\.{1,2}\d+$" + if (-Not ($go_version_win.Length -le 10 -or $go_version_win -match $go_version_re) ) { + echo "invalid GO version" + exit 1 + } + Write-Output "::set-output name=GO_VERSION_WINDOWS::$go_version_win" - uses: actions/setup-go@v2 with: - go-version: ${{ env.GO_VERSION_WINDOWS }} + go-version: ${{ steps.get-go-version.outputs.GO_VERSION_WINDOWS }} - uses: actions/checkout@v2 with: submodules: true