CDCgov
Importing JosiahSiegel GHA: [email protected]
checksum-validate-action (v1.5) -> ebdf8c12c00912d18de93c483b935d51582f9236 Outdated: Latest commit 806ce2fa215d520071c6d4faf8d2588a65e23749
Note: Further development was made and not referenced/used in the project (see link).
This external repo is now inserted in the file structure at: .github/actions/checksum-validate-action in the importing-gha branch.
$GITHUB_STEP_SUMMARY
$GITHUB_OUTPUT
env.sha
github.sha
inputs.input
inputs.key
matrix.os
steps.input_sha.outputs.sha
steps.valid-command.outputs.valid
steps.valid-string.outputs.valid
steps.validate_checksum.outputs.valid
I will be listing each step that must be performed in order to complete the importing of an external GitHub Action repository. Note: Follow these steps as a guideline but it will require additional steps depending on each project.
A personal/professional comment I would like to point out. I do not believe this is the correct approach for importing these external/remote GitHub Actions. Nevertheless, sometimes what is correct is not what is needed/required so it's all based on context. Nevertheless, my approach would always tend to be like follows:
Perform this specific set of tasks once:
- Create a fork of the target External/Remote GitHub Repository into our GitHub Organization.
- Define a default branch (e.g.: RELEASE branch) to be used and active when its invoked.
- Determine the trusted release (hash commit) which we would always control and maintain.
- Replace/Update any self-references to the upstream repository with the GitHub Organization entity.
- Make sure to Generate/Update a Default-Release (e.g. latest, etc.) TAG to be used consistently and avoid having to update any references to this release (e.g.: latest). For example: uses: CDCgov/devsecops/checksum-validate@latest
Perform these tasks periodically or when upstream updates are published:
- Periodically maintain an updated version of your forked repo with the remote/origin to it so you can be up to speed for existing progressive development.
- Replace/Update any self-references to the upstream repository with the GitHub Organization entity.
- Perform some testings on the latest updates and update your release-branch with these enhancements.
- Update your default-release TAG with these latest changes (no need to update references).
Conclusion: These are significantly less time-consuming and more effort-efficient tasks to manage development workflows upstream and yet maintain the desired/required level of control and safety to our project. Nevertheless, it's critical that we maintain and support a unified vision so we will have to focus on abiding to the existing guideline so that we all can succeed on our role.
1. Always checkout the MAIN branch:
$ git checkout main ;
Switched to branch 'main'
Your branch is up to date with 'origin/main'.
2. Always update the MAIN branch:
$ git pull ;
remote: Enumerating objects: ?, done.
remote: Counting objects: 100% (?/?), done.
remote: Compressing objects: 100% (?/?), done.
remote: Total ? (delta ?), reused ? (delta ?), pack-reused 0 (from 0)
Unpacking objects: 100% (?/?), ?.? KiB | ?.? MiB/s, done.
From https://github.com/CDCgov/prime-reportstream
abc..xyz main -> origin/main
. . .
Updating abc..xyz
Fast-forward
. . .
3. Create local branch using pattern-naming convention:
$ git checkout -b devsecops/<user-id>/<github-action> ;
Switched to a new branch 'devsecops/<user-id>/<github-action>'
4. Push existing branch state to remote:
$ git push --set-upstream origin devsecops/<user-id>/<github-action> ;
Total 0 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
remote:
remote: Create a pull request for 'devsecops/<user-id>/<github-action>' on GitHub by visiting:
remote: https://github.com/CDCgov/prime-reportstream/pull/new/devsecops/<user-id>/<github-action>
remote:
remote: GitHub found ? vulnerabilities on CDCgov/prime-reportstream's default branch (? high, ? low).
To find out more, visit:
remote: https://github.com/CDCgov/prime-reportstream/security/dependabot
remote:
To https://github.com/CDCgov/prime-reportstream.git
* [new branch] devsecops/<user-id>/<github-action> -> devsecops/<user-id>/<github-action>
branch 'devsecops/<user-id>/<github-action>'
set up to track 'origin/devsecops/<user-id>/<github-action>'.
5. Create target container (filesystem folder) for the external/remote GitHub Action:
$ cd .github/actions/ ; $ mkdir <github-action> && cd $_ ;
$ ls -al ;
total 0
drwxr-xr-x 2 <user-id> staff 64 Dec 5 14:51 .
drwxr-xr-x 26 <user-id> staff 832 Dec 5 14:51 ..
$ pwd ;
/repos/hhs/cdc/prime-reportstream/.github/actions/<github-action>
6. Clone the external/remote repository GitHub Action:
$ git clone https://github.com/<vendor-id>/<github-action>.git . ;
Cloning into '.'...
remote: Enumerating objects: 143, done.
remote: Counting objects: 100% (80/80), done.
remote: Compressing objects: 100% (52/52), done.
remote: Total 143 (delta 38), reused 46 (delta 24), pack-reused 63 (from 1)
Receiving objects: 100% (143/143), 52.98 KiB | 645.00 KiB/s, done.
Resolving deltas: 100% (47/47), done.
7. Listing local repository file structure
$ tree -a ;
.
├── .git ...
├── .github
│ ├── dependabot.yml
│ └── workflows
│ └── test_action.yml
├── README.md
└── action.yml
19 directories, 32 files
8. Listing local repository log:
$ git log ;
commit 806ce2fa215d520071c6d4faf8d2588a65e23749 (HEAD -> main, origin/main, origin/HEAD)
Merge: abcb2c6 59444f8
Author: <vendor-id> <5522990+<vendor-id>@users.noreply.github.com>
Date: Fri Aug 2 08:36:54 2024 -0400
Merge pull request #31 from <vendor-id>/dependabot/github_actions/actions/download-artifact-4.1.8
Bump actions/download-artifact from 4.1.7 to 4.1.8
. . .
9. Checkout target hash-commit (referenced in the PRIME-ReportStream application):
$ git checkout ebdf8c12c00912d18de93c483b935d51582f9236 ;
Note: switching to 'ebdf8c12c00912d18de93c483b935d51582f9236'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:
git switch -c <new-branch-name>
Or undo this operation with:
git switch -
Turn off this advice by setting config variable advice.detachedHead to false
HEAD is now at ebdf8c1 Merge pull request
#16 from <vendor-id>/dependabot/github_actions/actions/download-artifact-4.1.2
10. Listing GitHub Action (e.g.: action.yaml) change log:
((v1.5)) $ git log -p ./action.yml ;
commit 20fe3f0b1e20bf44f7c1c0dde8b7e6798ac123e7
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri Feb 16 14:57:08 2024 +0000
Bump actions/download-artifact from 4.1.0 to 4.1.2
Bumps [actions/download-artifact](https://github.com/actions/download-artifact)
from 4.1.0 to 4.1.2.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/f44cd7b...eaceaf8)
---
updated-dependencies:
- dependency-name: actions/download-artifact
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <[email protected]>
diff --git a/action.yml b/action.yml
index 149b759..1ad3023 100644
--- a/action.yml
+++ b/action.yml
@@ -77,7 +77,7 @@ runs:
# VALIDATE FILE START
- name: Download checksum file
if: inputs.validate == 'true'
- uses: actions/download-artifact@f44cd7b
+ uses: actions/download-artifact@eaceaf8
with:
name: "${{ github.sha }}-${{ inputs.key }}.txt"
. . .
11. Purge non-usable components (e.g.: .git and .github folders)
$ rm -rf .git .github ;
$ ls -al ;
total 16
drwxr-xr-x 4 <user-id> staff 128 Dec 5 15:00 .
drwxr-xr-x 26 <user-id> staff 832 Dec 5 14:51 ..
-rw-r--r-- 1 <user-id> staff 2475 Dec 5 14:52 README.md
-rw-r--r-- 1 <user-id> staff 3358 Dec 5 14:54 action.yml
12. Modify all the configuration files that are needed/required to be updated:
$ git status ;
On branch devsecops/<user-id>/<github-action>
Your branch is up to date with 'origin/devsecops/<user-id>/<github-action>'.
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
modified: dependabot.yml
Untracked files:
(use "git add <file>..." to include in what will be committed)
actions/<github-action>/
no changes added to commit (use "git add" and/or "git commit -a")
13 . Modify the dependabot.yaml file and review its changes:
$ git log -p ./dependabot.yml ;
commit fba4665dd899767e4ea4da2c6cc5418bef835037
Author: Eduardo Valdes <[email protected]>
Date: Thu Dec 5 15:06:13 2024 -0700
Integrating the <github-action> GitHub Action into project
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 498f787b1..6365ac269 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -125,6 +125,11 @@ updates:
schedule:
interval: "daily"
+ - package-ecosystem: "github-actions"
+ directory: "/.github/actions/<github-action>"
+ schedule:
+ interval: "daily"
+
# Frontend
- package-ecosystem: "npm"
directory: "/frontend-react"
. . .
14. Modify if need/required the .github/actions/checksum-validate/action.yaml file and review its changes:
$ git log ./github/actions/<github-action>/action.yml ;
commit fba4665dd899767e4ea4da2c6cc5418bef835037
Author: Eduardo Valdes <[email protected]>
Date: Thu Dec 5 15:06:13 2024 -0700
Integrating the <github-action> GitHub Action into project
. . .
15. Adding and listing all performed changes:
$ git add . ;
$ git status ;
On branch devsecops/<user-id>/<github-action>
Your branch is up to date with 'origin/devsecops/<user-id>/<github-action>'.
Changes to be committed:
(use "git restore --staged <file>..." to unstage)
new file: actions/<github-action>/README.md
new file: actions/<github-action>/action.yml
modified: dependabot.yml
16. Provide a meaningful comment:
$ git commit -m "Integrating the <github-action> GitHub Action into project" ;
[devsecops/<user-id>/<github-action> fba4665dd]
Integrating the <github-action> GitHub Action into project
3 files changed, 210 insertions(+)
create mode 100644 .github/actions/<github-action>/README.md
create mode 100644 .github/actions/<github-action>/action.yml
17. Listing current local repository status:
$ git status ;
On branch devsecops/<user-id>/<github-action>
Your branch is ahead of 'origin/devsecops/<user-id>/<github-action>' by 1 commit.
(use "git push" to publish your local commits)
nothing to commit, working tree clean
18. Push upstream the performed changes:
$ git push ;
Enumerating objects: 12, done.
Counting objects: 100% (12/12), done.
Delta compression using up to 12 threads
Compressing objects: 100% (8/8), done.
Writing objects: 100% (8/8), 2.44 KiB | 2.44 MiB/s, done.
Total 8 (delta 4), reused 0 (delta 0), pack-reused 0 (from 0)
remote: Resolving deltas: 100% (4/4), completed with 4 local objects.
remote:
remote: GitHub found 3 vulnerabilities on CDCgov/prime-reportstream's default branch (2 high, 1 low).
To find out more, visit:
remote: https://github.com/CDCgov/prime-reportstream/security/dependabot
remote:
To https://github.com/CDCgov/prime-reportstream.git
e564319f2..fba4665dd devsecops/<user-id>/<github-action> -> devsecops/<user-id>/<github-action>
19. Search for all references to this package across the GitHub Workflows and Actions:
$ find . -type f | xargs -I {} egrep -Hni "<vendor-id>/<github-action>" {} ;
./actions/<github-action>/README.md:3:[![Test Action]
(https://github.com/<vendor-id>/<github-action>/actions/workflows/test_action.yml/badge.svg)]
(https://github.com/<vendor-id>/<github-action>/actions/workflows/test_action.yml)
./actions/<github-action>/README.md:22: uses: <vendor-id>/<github-action>@<package-version>
./actions/<github-action>/README.md:28: uses: <vendor-id>/<github-action>@<package-version>
./actions/<github-action>/README.md:43: uses: <vendor-id>/<github-action>@<package-version>
./actions/<github-action>/README.md:52: uses: <vendor-id>/<github-action>@<package-version>
20. Make sure these external references in the documentation point to the local repository: Note: Since we are currently using the strategy to target hash-commits, we need to make sure we reflect these specific hashes to reinforce awareness on this issue.
$ git log -p ./README.md ;
commit 58cdc60ac91f7a688a79bb1c8ceb278e73af0e4f (
HEAD -> devsecops/<user-id>/<github-action>, origin/devsecops/<user-id>/<github-action>
)
Author: Eduardo Valdes <[email protected]>
Date: Thu Dec 5 15:15:57 2024 -0700
Correcting all external references to the checksum-validate-action GitHub Action
diff --git a/.github/actions/<github-action>/README.md b/.github/actions/<github-action>/README.md
index e6e62a4ca..b228bfcab 100644
--- a/.github/actions/<github-action>/README.md
+++ b/.github/actions/<github-action>/README.md
@@ -19,13 +19,13 @@ jobs:
- uses: actions/[email protected]
- name: Generate checksum of string
- uses: <vendor-id>/<github-action>@v1
+ uses: ./.github/actions/<github-action>@ebdf8c12c00912d18de93c483b935d51582f9236
with:
key: test string
input: hello world
- name: Generate checksum of command output
- uses: <vendor-id>/<github-action>@v1
+ uses: ./.github/actions/<github-action>@ebdf8c12c00912d18de93c483b935d51582f9236
with:
key: test command
input: $(cat action.yml)
@@ -40,7 +40,7 @@ jobs:
- name: Validate checksum of valid string
id: valid-string
- uses: <vendor-id>/<github-action>@v1
+ uses: ./.github/actions/<github-action>@ebdf8c12c00912d18de93c483b935d51582f9236
with:
key: test string
validate: true
@@ -49,7 +49,7 @@ jobs:
- name: Validate checksum of valid command output
id: valid-command
- uses: <vendor-id>/<github-action>@v1
+ uses: ./.github/actions/<github-action>@ebdf8c12c00912d18de93c483b935d51582f9236
with:
key: test command
validate: true
@@ -91,4 +91,4 @@ inputs:
outputs:
valid:
description: True if checksums match
-```
\ No newline at end of file
+```
. . .
21. Update these references with calls to the local repositoy (e.g.: .github/actions/
$ git status ;
On branch devsecops/<user-id>/<github-action>
Your branch is up to date with 'origin/devsecops/<user-id>/<github-action>'.
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
modified: actions/<github-action>/README.md
modified: actions/deploy-backend/action.yml
modified: workflows/release_to_azure.yml
no changes added to commit (use "git add" and/or "git commit -a")
22. Push these latest changes to the upstream repository (project):
$ git add . && git commit -m "Correcting external references to the <github-action> GitHub Action" ;
[devsecops/<user-id>/<github-action> 58cdc60ac]
Correcting all external references to the <github-action> GitHub Action
3 files changed, 7 insertions(+), 13 deletions(-)
devops: .github (devsecops/<user-id>/<github-action>>) $ git push ;
Enumerating objects: 19, done.
Counting objects: 100% (19/19), done.
Delta compression using up to 12 threads
Compressing objects: 100% (9/9), done.
Writing objects: 100% (10/10), 939 bytes | 939.00 KiB/s, done.
Total 10 (delta 7), reused 0 (delta 0), pack-reused 0 (from 0)
remote: Resolving deltas: 100% (7/7), completed with 7 local objects.
remote:
remote: GitHub found 3 vulnerabilities on CDCgov/prime-reportstream's default branch (2 high, 1 low).
To find out more, visit:
remote: https://github.com/CDCgov/prime-reportstream/security/dependabot
remote:
To https://github.com/CDCgov/prime-reportstream.git
fba4665dd..58cdc60ac devsecops/<user-id>/<github-action> -> devsecops/<user-id>/<github-action>
The following Pull Request will merge into the MAIN branch after completing all unit-testings and a complete peer review. https://github.com/CDCgov/prime-reportstream/pull/16728
23. Make sure to provide correct and meaningful information to the Pull Request.
24. Make sure all the validation (Unit-Testing) stages are completed and not failed.
Note: It's possible that at times, some non-required tests might fail and you might still be able to merge into the MAIN branch but this should be avoided.
25. Make sure you review all your intermediate commits (while working out the details) and determine what is required/valuable and what is irrelevant so it can be purged (Squashed) from the MERGE stage.
26. Perform a basic overview of the build focusing on the stages and tests that relate to your changes. Anything else that is not within your control/domain make sure is reported to the development team.
