-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a job that runs diagnostics #144
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for setting up this PR! I'm on board but I have two thoughts for consideration. First, would you please add this to the list of commented out dependencies in the Dependabot configuration:
skeleton-generic/.github/dependabot.yml
Lines 15 to 21 in bd762fe
# # Managed by cisagov/skeleton-generic | |
# - dependency-name: actions/cache | |
# - dependency-name: actions/checkout | |
# - dependency-name: actions/setup-go | |
# - dependency-name: actions/setup-python | |
# - dependency-name: hashicorp/setup-terraform | |
# - dependency-name: mxschmitt/action-tmate |
Second, and this one is more a thought, what do you think about adding a
needs
block to the lint
job and requiring the diagnostics
job? Even if the diagnostics
job does not currently leverage the ability for the Action to fail depending on the GitHub status, if the job has a problem while running that will generally not be a good sign for the lint
job to run.
f708ed4
to
f88b9d2
Compare
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @jsf9k (and also crazy-max) - this is a useful addition!
a737e7d
to
e49ee95
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 👍 👍
@jsf9k Would you please update the PR description to include the addition of the |
I just did it while you were writing your comment. Synchronicity! |
I'm don't think that the step-security/harden-runner Action is covering the I created commit 2bddec4 to test this hypothesis. |
Oh, right. Each job is its own runner so it would need to be used in every job you want hardened. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤖
Looks like I was correct, so I'll leave the commit in place. |
@jsf9k Yes, please see my comment in #144 (comment). Also you may want to mention that the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please see commit 69dd196. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚡
This action is added in a separate "diagnostics" job. As configured it will never fail, but it will print out the status of the various GitHub components. This information will sometimes be useful when determining why builds fail after the fact. Co-authored-by: Mark Feldhousen <[email protected]> Co-authored-by: Nick <[email protected]>
Even though the diagnostics job is not currently configured to fail due to the GitHub status, it is still true that if the job is unable to run that does not bode well for the lint job's successful execution. Co-authored-by: Nick <[email protected]>
This can be useful when debugging why a GH Action failed. Co-authored-by: felddy <[email protected]>
This GH Action is being configured to run in audit mode. It should warn us if an Action is reaching out to an unexpected web address, overwriting source code, etc. Co-authored-by: felddy <[email protected]>
This task can only provide coverage for the job that contains it.
We need a reminder add the step-security/harden-runner action at the top of every job. Co-authored-by: Nick <[email protected]>
69dd196
to
bb81ec3
Compare
The CodeQL workflow already had a harden-runner task, but it's good to agree everywhere with the changes we made to the build.yml workflow in cisagov/skeleton-generic#144.
The CodeQL workflow already had a harden-runner task, but it's good to agree everywhere with the changes we made to the build.yml workflow in cisagov/skeleton-generic#144.
It's good to agree everywhere with the changes we made to the build.yml workflow in cisagov/skeleton-generic#144.
It's good to agree everywhere with the changes we made to the build.yml workflow in cisagov/skeleton-generic#144.
🗣 Description
This pull request adds a
diagnostics
job that runs these GitHub Actions:💭 Motivation and context
The GitHub Actions listed above are added in a separate
diagnostics
job. As configured the actions should never fail, but they will print out information that may be useful in diagnosing workflow failures.🧪 Testing
All automated tests pass. I verified that the expected outputs appear in the GitHub Actions log (also here).
✅ Pre-approval checklist