HADOOP-19858: ci: Add CodeQL scanning for github actions#8428
HADOOP-19858: ci: Add CodeQL scanning for github actions#8428ajfabbri merged 5 commits intoapache:trunkfrom
Conversation
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
ajfabbri
changed the title
|
@pan3793 if you like this, we can merge it and it should give us extra feedback on our GH actions development. I wanted some extra help with the security scanning part: This tool should alert us if we make common mistakes during our CI actions development. |
|
🎊 +1 overall
This message was automatically generated. |
| runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} | ||
| permissions: | ||
| # required for all workflows | ||
| security-events: write |
There was a problem hiding this comment.
I think on.pull_request will limit this to read, so it does not take effect for PR
There was a problem hiding this comment.
Thanks for the review. Hummm. The first commit was generated by GitHub. Do you have a link you can share?
There was a problem hiding this comment.
if the workflow was triggered by a pull request event other than
pull_request_targetfrom a forked repository, and the Send write tokens to workflows from pull requests setting is not selected, the permissions are adjusted to change any write permissions to read only.
There was a problem hiding this comment.
Ah yes, the Default config for CodeQL does not support fork pull requests, but the Advanced config is supposed to I think. Related: github/codeql#19698. This PR creates an Advanced config (i.e. we have an explicit codeql action .yml versus the push-putton enabling of Default CodeQL in the github repository settings.)
There was a problem hiding this comment.
Thanks @pan3793 for helping test this with ajfabbri/hadoop/pull/3 Looks like it works ok. Did you have any problems on your side?
There was a problem hiding this comment.
yes, it works in your forked repo, as you are the owner of that repo. but are you sure we are granted sufficient permission to enable it in apache/hadoop repo? I didn't find this option, which is mentioned by https://docs.github.com/en/code-security/how-tos/find-and-fix-code-vulnerabilities/configure-code-scanning/configuring-advanced-setup-for-code-scanning
There was a problem hiding this comment.
I think it should work but we need to test. If we get stuck we can ask infra for help. Do you want to merge and try it out, or should I attempt testing on a branch upstream?
There was a problem hiding this comment.
I'm not against merging this (but maybe not in its current shape), and we can always revert if it does not work.
BTW, maybe the fastest way to check it is to contact the ASF infra team in Slack?
There was a problem hiding this comment.
They are pretty busy but I started a thread here.
Can you please re-review this and let me know if you want particular changes? I left some of the generated comments that I felt would be useful for future authors.
There was a problem hiding this comment.
BTW, I think this should just work (in my test advanced security is automatically enabled when you add a relevant workflow). Also note this comment which implies it is active for this apache repo: #8428 (comment)
|
@pan3793 here is an example run ajfabbri#1 |
|
🎊 +1 overall
This message was automatically generated. |
|
🎊 +1 overall
This message was automatically generated. |
|
🎊 +1 overall
This message was automatically generated. |
|
Added commit which filters pull_request triggers to only happen if something in Also rebased on latest trunk. |
|
🎊 +1 overall
This message was automatically generated. |
| runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} | ||
| permissions: | ||
| # required for all workflows | ||
| security-events: write |
There was a problem hiding this comment.
yes, it works in your forked repo, as you are the owner of that repo. but are you sure we are granted sufficient permission to enable it in apache/hadoop repo? I didn't find this option, which is mentioned by https://docs.github.com/en/code-security/how-tos/find-and-fix-code-vulnerabilities/configure-code-scanning/configuring-advanced-setup-for-code-scanning
|
🎊 +1 overall
This message was automatically generated. |
|
🎊 +1 overall
This message was automatically generated. |
Co-authored-by: Cheng Pan <pan3793@gmail.com>
Thank you @pan3793 . I applied your suggestions. Will merge once CI is green and will create a test PR to ensure it works ok from trunk. |
|
🎊 +1 overall
This message was automatically generated. |
4 participants
Description of PR
For HADOOP-19858, in #8412, we need help with the tricky task of creating new
github actions for CI with our public repo.
This PR enables CodeQL scanning for our github actions/workflows. For more detail:
https://github.blog/security/application-security/how-to-secure-your-github-actions-workflows-with-codeql/
We can expand the set of languages in the future to include Java, etc.. I'd
like to start by just scanning actions' YAML and see how it goes.
How was this patch tested?
Via this PR.
For code changes:
LICENSE,LICENSE-binary,NOTICE-binaryfiles?AI Tooling
If an AI tool was used:
where is the name of the AI tool used.
https://www.apache.org/legal/generative-tooling.html