diff --git a/.github/workflows/checks-workflows.yml b/.github/workflows/checks-workflows.yml index be739f5fa..a6f9e9546 100644 --- a/.github/workflows/checks-workflows.yml +++ b/.github/workflows/checks-workflows.yml @@ -1,4 +1,4 @@ -name: Worflows check +name: Checks for GitHub workflows on: push: @@ -13,7 +13,7 @@ env: PYTHON_VERSION: "3.11" jobs: - lint-vizro-all: + checks-workflows: runs-on: ubuntu-latest steps: @@ -24,8 +24,6 @@ jobs: with: python-version: ${{ env.PYTHON_VERSION }} - - name: Workflows check + - name: Checks for GitHub workflows run: | - pip install pyyaml - cd .github/workflows - python ../../tools/yaml_check.py + python tools/scan_yaml_for_risky_text.py.py .github/workflows diff --git a/.github/workflows/test-integration-vizro-ai.yml b/.github/workflows/test-integration-vizro-ai.yml index c6520b4c3..f6a02fc5a 100644 --- a/.github/workflows/test-integration-vizro-ai.yml +++ b/.github/workflows/test-integration-vizro-ai.yml @@ -102,16 +102,7 @@ jobs: with: payload: | { - "text": "Vizro-ai ${{ matrix.hatch-env }} integration tests build result: ${{ job.status }}\nBranch: ${{ github.head_ref }}\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", - "blocks": [ - { - "type": "section", - "text": { - "type": "mrkdwn", - "text": "Vizro-ai ${{ matrix.hatch-env }} integration tests build result: ${{ job.status }}\nBranch: ${{ github.head_ref }}\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" - } - } - ] + "text": "Vizro-ai ${{ matrix.hatch-env }} integration tests build result: ${{ job.status }}\nBranch: ${{ github.head_ref }}\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" } env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.github/workflows/vizro-qa-notebooks-tests-trigger.yml b/.github/workflows/vizro-qa-notebooks-tests-trigger.yml deleted file mode 100644 index 523b89d94..000000000 --- a/.github/workflows/vizro-qa-notebooks-tests-trigger.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: Vizro qa notebooks tests trigger - -on: - push: - branches: [main] - pull_request: - branches: - - main - -env: - PYTHONUNBUFFERED: 1 - FORCE_COLOR: 1 - -jobs: - vizro-qa-trigger-fork: - if: ${{ github.event.pull_request.head.repo.fork }} - name: Vizro qa notebooks tests trigger - runs-on: ubuntu-latest - steps: - - name: Passed fork step - run: echo "Success!" - - vizro-qa-trigger: - if: ${{ ! github.event.pull_request.head.repo.fork }} - name: Vizro qa notebooks tests trigger - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: Tests trigger - run: | - export INPUT_OWNER=${{ secrets.VIZRO_QA_ORG }} - export INPUT_REPO=${{ secrets.VIZRO_QA_REPO }} - export INPUT_WORKFLOW_FILE_NAME=${{ secrets.VIZRO_QA_NOTEBOOKS_TESTS_WORKFLOW }} - export INPUT_GITHUB_TOKEN=${{ secrets.VIZRO_SVC_PAT }} - export INPUT_REF=${{ github.head_ref }} - tools/trigger-workflow-and-wait.sh diff --git a/.github/workflows/vizro-qa-tests-trigger.yml b/.github/workflows/vizro-qa-tests-trigger.yml index acb92aaa2..2cde6d739 100644 --- a/.github/workflows/vizro-qa-tests-trigger.yml +++ b/.github/workflows/vizro-qa-tests-trigger.yml @@ -1,4 +1,4 @@ -name: Vizro qa tests trigger +name: Vizro QA tests trigger on: push: @@ -12,25 +12,35 @@ env: FORCE_COLOR: 1 jobs: - vizro-qa-trigger-fork: + vizro-qa-test-trigger-fork: if: ${{ github.event.pull_request.head.repo.fork }} - name: Vizro qa tests trigger + name: Vizro QA ${{ matrix.label }} trigger runs-on: ubuntu-latest + matrix: + include: + - label: integration tests + - label: notebooks tests steps: - name: Passed fork step run: echo "Success!" - vizro-qa-trigger: + vizro-qa-tests-trigger: if: ${{ ! github.event.pull_request.head.repo.fork }} - name: Vizro qa tests trigger + name: Vizro QA ${{ matrix.label }} trigger runs-on: ubuntu-latest + matrix: + include: + - label: integration tests + file: ${{ secrets.VIZRO_QA_INTEGRATION_TESTS_WORKFLOW }} + - label: notebooks test + file: ${{ secrets.VIZRO_QA_NOTEBOOKS_TESTS_WORKFLOW }} steps: - uses: actions/checkout@v4 - name: Tests trigger run: | export INPUT_OWNER=${{ secrets.VIZRO_QA_ORG }} export INPUT_REPO=${{ secrets.VIZRO_QA_REPO }} - export INPUT_WORKFLOW_FILE_NAME=${{ secrets.VIZRO_QA_INTEGRATION_TESTS_WORKFLOW }} + export INPUT_WORKFLOW_FILE_NAME=${{ matrix.label }} export INPUT_GITHUB_TOKEN=${{ secrets.VIZRO_SVC_PAT }} export INPUT_REF=${{ github.head_ref }} tools/trigger-workflow-and-wait.sh diff --git a/tools/scan_yaml_for_risky_text.py.py b/tools/scan_yaml_for_risky_text.py.py new file mode 100644 index 000000000..9eba46b41 --- /dev/null +++ b/tools/scan_yaml_for_risky_text.py.py @@ -0,0 +1,16 @@ +import sys +from pathlib import Path + +# according to this article: https://nathandavison.com/blog/github-actions-and-the-threat-of-malicious-pull-requests +# we should avoid using `pull_request_target` for security reasons +risky_text = "pull_request_target" + + +def find_risky_files(path: str): + return {str(file) for file in Path(path).rglob("*.yml") if f"{risky_text}" in file.read_text()} + + +if __name__ == '__main__': + risky_files = find_risky_files(sys.argv[1]) + if risky_files: + sys.exit(f"{risky_text} found in files {risky_files}.") diff --git a/tools/yaml_check.py b/tools/yaml_check.py deleted file mode 100644 index ea38b879f..000000000 --- a/tools/yaml_check.py +++ /dev/null @@ -1,28 +0,0 @@ -import json -import os - -import yaml - - -def yaml_reader(filepath): - for file in filepath: - with open(file, "rb") as f: - data = yaml.safe_load(f) - data_str = json.dumps(data) - if "pull_request_target" in data_str: - print(f"{file} contains pull_request_target") - failed_list.append(file) - - -def failed_list_check(failed_list): - if failed_list: - return exit(1) - else: - pass - - -if __name__ == "__main__": - filepath = os.listdir() - failed_list = [] - yaml_reader(filepath) - failed_list_check(failed_list)