From 2bc0a140a02a2dd6ff6a55c9e4323011e3f9146e Mon Sep 17 00:00:00 2001 From: ChristianZaccaria Date: Wed, 30 Oct 2024 16:03:24 +0000 Subject: [PATCH 1/3] Add Snyk security workflow to track multiple tags --- .github/workflows/release.yaml | 36 ++++++++++++++++++++++++ .github/workflows/snyk-security.yaml | 41 ++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 .github/workflows/snyk-security.yaml diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ccac52604..2b2e392a3 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -27,15 +27,22 @@ on: type: string default: "project-codeflare" +env: + PR_BRANCH_NAME: snyk-tag-monitoring-${{ github.run_id }} + jobs: release: runs-on: ubuntu-latest permissions: contents: write id-token: write # This permission is required for trusted publishing + pull-requests: write # This permission is required for creating PRs steps: - name: Checkout the repository uses: actions/checkout@v4 + with: + submodules: recursive + token: ${{ secrets.GH_CLI_TOKEN }} - name: Install Python uses: actions/setup-python@v5 with: @@ -81,3 +88,32 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.CODEFLARE_MACHINE_ACCOUNT_TOKEN }} shell: bash + + - name: Append tag to Snyk monitoring list + run: | + sed -i 's/list_of_released_tags=(/list_of_released_tags=("v${{ github.event.inputs.release-version }}", /' .github/workflows/snyk-security.yaml + + - name: Commit and push changes + run: | + git config --global user.email "138894154+codeflare-machine-account@users.noreply.github.com" + git config --global user.name "codeflare-machine-account" + git checkout -b $PR_BRANCH_NAME + git commit -am "Update snyk-security.yaml" + git push --set-upstream origin "$PR_BRANCH_NAME" + + - name: Create Pull Request + run: | + gh pr create \ + --title "$pr_title" \ + --body "$pr_body" \ + --head ${{ env.PR_BRANCH_NAME }} \ + --base main \ + --label "lgtm" \ + --label "approved" + env: + GITHUB_TOKEN: ${{ secrets.GH_CLI_TOKEN }} + pr_title: "[CodeFlare-Machine] Append tag v${{ github.event.inputs.release-version }} to Snyk monitoring list" + pr_body: | + :rocket: This is an automated Pull Request generated by [release.yaml](https://github.com/project-codeflare/codeflare-sdk/blob/main/.github/workflows/release.yaml) workflow. + + This PR appends to the list of tags that Snyk will be monitoring. diff --git a/.github/workflows/snyk-security.yaml b/.github/workflows/snyk-security.yaml new file mode 100644 index 000000000..ee497f319 --- /dev/null +++ b/.github/workflows/snyk-security.yaml @@ -0,0 +1,41 @@ +name: Snyk Security +on: + push: + branches: + - main + +jobs: + snyk-scan: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + submodules: recursive + + - name: Install Snyk CLI + run: npm install -g snyk + + - name: Snyk Monitor and Test multiple projects + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + SNYK_ORG: ${{ secrets.SNYK_ORG }} + run: | + echo "Fetching tags" + git fetch origin 'refs/tags/*:refs/tags/*' + + echo "Authenticating with Snyk" + snyk auth ${SNYK_TOKEN} + + echo "Scanning project: codeflare-sdk/main" + snyk monitor --all-projects --exclude=requirements.txt --org=${SNYK_ORG} --target-reference="main" + + # This list is based off RHOAI Supported versions: https://access.redhat.com/support/policy/updates/rhoai-sm/lifecycle + # Compared to the tags in the ImageStream annotations: https://github.com/red-hat-data-services/notebooks/blob/rhoai-2.8/manifests/base/jupyter-datascience-notebook-imagestream.yaml + # Loop through the list of released tags and scan each project + list_of_released_tags=("v0.22.0" "v0.21.1" "v0.19.1", "v0.16.4", "vv0.14.1") + for project in "${list_of_released_tags[@]}"; do + echo "Scanning project: codeflare-sdk/$project" + git checkout $project + snyk monitor --all-projects --exclude=requirements.txt --org=${SNYK_ORG} --target-reference="$(git describe --tags)" + done From 9e1bdb9ec283cb7fc261f3fe3e9ebb7358c74bf3 Mon Sep 17 00:00:00 2001 From: ChristianZaccaria Date: Wed, 6 Nov 2024 10:56:54 +0000 Subject: [PATCH 2/3] Cache npm dependencies in snyk-security workflow --- .github/workflows/release.yaml | 5 ++--- .github/workflows/snyk-security.yaml | 6 +++++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2b2e392a3..dacd904c4 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -41,7 +41,6 @@ jobs: - name: Checkout the repository uses: actions/checkout@v4 with: - submodules: recursive token: ${{ secrets.GH_CLI_TOKEN }} - name: Install Python uses: actions/setup-python@v5 @@ -95,8 +94,8 @@ jobs: - name: Commit and push changes run: | - git config --global user.email "138894154+codeflare-machine-account@users.noreply.github.com" - git config --global user.name "codeflare-machine-account" + git config --global user.email "${{ vars.CODEFLARE_MACHINE_EMAIL }}" + git config --global user.name "${{ vars.CODEFLARE_MACHINE_NAME }}" git checkout -b $PR_BRANCH_NAME git commit -am "Update snyk-security.yaml" git push --set-upstream origin "$PR_BRANCH_NAME" diff --git a/.github/workflows/snyk-security.yaml b/.github/workflows/snyk-security.yaml index ee497f319..3d43da45c 100644 --- a/.github/workflows/snyk-security.yaml +++ b/.github/workflows/snyk-security.yaml @@ -10,8 +10,12 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + + - name: Setup Node.js to cache dependencies + uses: actions/setup-node@v4 with: - submodules: recursive + node-version: 20 + cache: 'npm' - name: Install Snyk CLI run: npm install -g snyk From 6c486b7bfea4737019c8c088a2a957ea2aec2098 Mon Sep 17 00:00:00 2001 From: ChristianZaccaria Date: Wed, 6 Nov 2024 15:46:40 +0000 Subject: [PATCH 3/3] Snyk Security workflow enhancements --- .github/workflows/release.yaml | 37 ++++++++++------------------ .github/workflows/snyk-security.yaml | 16 ------------ 2 files changed, 13 insertions(+), 40 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index dacd904c4..ddc23b5ae 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -88,31 +88,20 @@ jobs: GITHUB_TOKEN: ${{ secrets.CODEFLARE_MACHINE_ACCOUNT_TOKEN }} shell: bash - - name: Append tag to Snyk monitoring list + - name: Install Snyk CLI and setup monitoring for new release tag + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + SNYK_ORG: ${{ secrets.SNYK_ORG }} run: | - sed -i 's/list_of_released_tags=(/list_of_released_tags=("v${{ github.event.inputs.release-version }}", /' .github/workflows/snyk-security.yaml + echo "Installing Snyk CLI" + npm install -g snyk - - name: Commit and push changes - run: | - git config --global user.email "${{ vars.CODEFLARE_MACHINE_EMAIL }}" - git config --global user.name "${{ vars.CODEFLARE_MACHINE_NAME }}" - git checkout -b $PR_BRANCH_NAME - git commit -am "Update snyk-security.yaml" - git push --set-upstream origin "$PR_BRANCH_NAME" + echo "Fetching tags" + git fetch origin 'refs/tags/*:refs/tags/*' - - name: Create Pull Request - run: | - gh pr create \ - --title "$pr_title" \ - --body "$pr_body" \ - --head ${{ env.PR_BRANCH_NAME }} \ - --base main \ - --label "lgtm" \ - --label "approved" - env: - GITHUB_TOKEN: ${{ secrets.GH_CLI_TOKEN }} - pr_title: "[CodeFlare-Machine] Append tag v${{ github.event.inputs.release-version }} to Snyk monitoring list" - pr_body: | - :rocket: This is an automated Pull Request generated by [release.yaml](https://github.com/project-codeflare/codeflare-sdk/blob/main/.github/workflows/release.yaml) workflow. + echo "Authenticating with Snyk" + snyk auth ${SNYK_TOKEN} - This PR appends to the list of tags that Snyk will be monitoring. + echo "Scanning project: codeflare-sdk/v${{ github.event.inputs.release-version }}" + git checkout v${{ github.event.inputs.release-version }} + snyk monitor --all-projects --exclude=requirements.txt --org=${SNYK_ORG} --target-reference="$(git describe --tags)" diff --git a/.github/workflows/snyk-security.yaml b/.github/workflows/snyk-security.yaml index 3d43da45c..ba4af2dc9 100644 --- a/.github/workflows/snyk-security.yaml +++ b/.github/workflows/snyk-security.yaml @@ -11,12 +11,6 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - - name: Setup Node.js to cache dependencies - uses: actions/setup-node@v4 - with: - node-version: 20 - cache: 'npm' - - name: Install Snyk CLI run: npm install -g snyk @@ -33,13 +27,3 @@ jobs: echo "Scanning project: codeflare-sdk/main" snyk monitor --all-projects --exclude=requirements.txt --org=${SNYK_ORG} --target-reference="main" - - # This list is based off RHOAI Supported versions: https://access.redhat.com/support/policy/updates/rhoai-sm/lifecycle - # Compared to the tags in the ImageStream annotations: https://github.com/red-hat-data-services/notebooks/blob/rhoai-2.8/manifests/base/jupyter-datascience-notebook-imagestream.yaml - # Loop through the list of released tags and scan each project - list_of_released_tags=("v0.22.0" "v0.21.1" "v0.19.1", "v0.16.4", "vv0.14.1") - for project in "${list_of_released_tags[@]}"; do - echo "Scanning project: codeflare-sdk/$project" - git checkout $project - snyk monitor --all-projects --exclude=requirements.txt --org=${SNYK_ORG} --target-reference="$(git describe --tags)" - done