Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a job that runs diagnostics #144

Merged
merged 7 commits into from
Sep 13, 2023
Merged

Conversation

jsf9k
Copy link
Member

@jsf9k jsf9k commented Aug 29, 2023

🗣 Description

This pull request adds a diagnostics job that runs these GitHub Actions:

💭 Motivation and context

The GitHub Actions listed above are added in a separate diagnostics job. As configured the actions should never fail, but they will print out information that may be useful in diagnosing workflow failures.

🧪 Testing

All automated tests pass. I verified that the expected outputs appear in the GitHub Actions log (also here).

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All new and existing tests pass.

@jsf9k jsf9k added the improvement This issue or pull request will add or improve functionality, maintainability, or ease of use label Aug 29, 2023
@jsf9k jsf9k self-assigned this Aug 29, 2023
@jsf9k jsf9k marked this pull request as ready for review August 29, 2023 21:19
@jsf9k jsf9k requested a review from a team August 29, 2023 21:19
Copy link
Member

@mcdonnnj mcdonnnj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for setting up this PR! I'm on board but I have two thoughts for consideration. First, would you please add this to the list of commented out dependencies in the Dependabot configuration:

# # Managed by cisagov/skeleton-generic
# - dependency-name: actions/cache
# - dependency-name: actions/checkout
# - dependency-name: actions/setup-go
# - dependency-name: actions/setup-python
# - dependency-name: hashicorp/setup-terraform
# - dependency-name: mxschmitt/action-tmate

Second, and this one is more a thought, what do you think about adding a needs block to the lint job and requiring the diagnostics job? Even if the diagnostics job does not currently leverage the ability for the Action to fail depending on the GitHub status, if the job has a problem while running that will generally not be a good sign for the lint job to run.

@jsf9k jsf9k force-pushed the improvement/add-github-status-jazz branch from f708ed4 to f88b9d2 Compare August 30, 2023 13:52
@jsf9k
Copy link
Member Author

jsf9k commented Aug 30, 2023

Thanks for setting up this PR! I'm on board but I have two thoughts for consideration. First, would you please add this to the list of commented out dependencies in the Dependabot configuration:

# # Managed by cisagov/skeleton-generic
# - dependency-name: actions/cache
# - dependency-name: actions/checkout
# - dependency-name: actions/setup-go
# - dependency-name: actions/setup-python
# - dependency-name: hashicorp/setup-terraform
# - dependency-name: mxschmitt/action-tmate

Second, and this one is more a thought, what do you think about adding a needs block to the lint job and requiring the diagnostics job? Even if the diagnostics job does not currently leverage the ability for the Action to fail depending on the GitHub status, if the job has a problem while running that will generally not be a good sign for the lint job to run.

@mcdonnnj - Please see commits 3e51119 and f88b9d2.

@jsf9k jsf9k requested a review from mcdonnnj August 30, 2023 13:53
Copy link
Member

@dav3r dav3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @jsf9k (and also crazy-max) - this is a useful addition!

@jsf9k jsf9k changed the title Add the crazy-max/ghaction-github-status GitHub action Add a job that runs diagnostics Aug 30, 2023
@jsf9k jsf9k force-pushed the improvement/add-github-status-jazz branch from a737e7d to e49ee95 Compare August 30, 2023 14:51
@jsf9k jsf9k requested a review from dav3r August 30, 2023 14:52
Copy link
Member

@dav3r dav3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 👍 👍

@mcdonnnj
Copy link
Member

@jsf9k Would you please update the PR description to include the addition of the step-security/harden-runner Action?

@jsf9k
Copy link
Member Author

jsf9k commented Aug 30, 2023

@jsf9k Would you please update the PR description to include the addition of the step-security/harden-runner Action?

I just did it while you were writing your comment. Synchronicity!

@jsf9k
Copy link
Member Author

jsf9k commented Aug 30, 2023

I'm don't think that the step-security/harden-runner Action is covering the lint job when it is inserted only in the diagnostics job. I think that Action may need to be duplicated in each workflow job to actually provide the desired coverage. Am I right, @cisagov/team-ois?

I created commit 2bddec4 to test this hypothesis.

@jsf9k jsf9k requested a review from dav3r August 30, 2023 17:01
@mcdonnnj
Copy link
Member

I'm don't think that the step-security/harden-runner Action is covering the lint job when it is inserted only in the diagnostics job. I think that Action may need to be duplicated in each workflow job to actually provide the desired coverage. Am I right, @cisagov/team-ois?

I created commit 2bddec4 to test this hypothesis.

Oh, right. Each job is its own runner so it would need to be used in every job you want hardened.

Copy link
Member

@dav3r dav3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖

@jsf9k
Copy link
Member Author

jsf9k commented Aug 30, 2023

I created commit 2bddec4 to test this hypothesis.

Looks like I was correct, so I'll leave the commit in place.

@mcdonnnj
Copy link
Member

mcdonnnj commented Aug 30, 2023

I created commit 2bddec4 to test this hypothesis.

Looks like I was correct, so I'll leave the commit in place.

@jsf9k Yes, please see my comment in #144 (comment). Also you may want to mention that the step-security/harden-runner Action must be added in every job (and that you added it to the lint job) in the description to better track when the kraken this change is included in is being resolved.

Copy link
Member

@mcdonnnj mcdonnnj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:godmode:

@jsf9k
Copy link
Member Author

jsf9k commented Aug 30, 2023

Also you may want to mention that the step-security/harden-runner Action must be added in every job (and that you added it to the lint job) in the description to better track when the kraken this change is included in is being resolved.

Please see commit 69dd196.

@jsf9k jsf9k assigned jmorrowomni and mcdonnnj and unassigned jsf9k Aug 30, 2023
@mcdonnnj mcdonnnj added the kraken 🐙 This pull request is ready to merge during the next Lineage Kraken release label Aug 30, 2023
Copy link
Member

@dav3r dav3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mcdonnnj mcdonnnj added this pull request to the merge queue Sep 13, 2023
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to a conflict with the base branch Sep 13, 2023
jsf9k and others added 7 commits September 12, 2023 21:50
This action is added in a separate "diagnostics" job.  As configured
it will never fail, but it will print out the status of the various
GitHub components.  This information will sometimes be useful when
determining why builds fail after the fact.

Co-authored-by: Mark Feldhousen <[email protected]>
Co-authored-by: Nick <[email protected]>
Even though the diagnostics job is not currently configured to fail
due to the GitHub status, it is still true that if the job is unable
to run that does not bode well for the lint job's successful
execution.

Co-authored-by: Nick <[email protected]>
This can be useful when debugging why a GH Action failed.

Co-authored-by: felddy <[email protected]>
This GH Action is being configured to run in audit mode.  It should
warn us if an Action is reaching out to an unexpected web address,
overwriting source code, etc.

Co-authored-by: felddy <[email protected]>
This task can only provide coverage for the job that contains it.
We need a reminder add the step-security/harden-runner action at the
top of every job.

Co-authored-by: Nick <[email protected]>
@mcdonnnj mcdonnnj force-pushed the improvement/add-github-status-jazz branch from 69dd196 to bb81ec3 Compare September 13, 2023 01:53
@mcdonnnj mcdonnnj added this pull request to the merge queue Sep 13, 2023
Merged via the queue into develop with commit c0eed09 Sep 13, 2023
@mcdonnnj mcdonnnj deleted the improvement/add-github-status-jazz branch September 13, 2023 02:00
jsf9k added a commit to cisagov/skeleton-ansible-role that referenced this pull request Oct 5, 2023
The CodeQL workflow already had a harden-runner task, but it's good to
agree everywhere with the changes we made to the build.yml workflow in
cisagov/skeleton-generic#144.
jsf9k added a commit to cisagov/skeleton-ansible-role that referenced this pull request Oct 5, 2023
The CodeQL workflow already had a harden-runner task, but it's good to
agree everywhere with the changes we made to the build.yml workflow in
cisagov/skeleton-generic#144.
jsf9k added a commit to cisagov/skeleton-docker that referenced this pull request Oct 11, 2023
It's good to agree everywhere with the changes we made to the
build.yml workflow in cisagov/skeleton-generic#144.
jsf9k added a commit to cisagov/skeleton-python-library that referenced this pull request Oct 11, 2023
It's good to agree everywhere with the changes we made to the
build.yml workflow in cisagov/skeleton-generic#144.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
improvement This issue or pull request will add or improve functionality, maintainability, or ease of use kraken 🐙 This pull request is ready to merge during the next Lineage Kraken release
Projects
Development

Successfully merging this pull request may close these issues.

5 participants