Skip to content

Commit 13fbb33

Browse files
authored
Merge pull request #87 from awslabs/fix/separate-release-workflows
fix: separate release workflows for clean responsibility separation
2 parents d3f24ab + 80b97f1 commit 13fbb33

11 files changed

Lines changed: 96 additions & 100 deletions

File tree

.github/actions/setup-python-uv/action.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@ runs:
2323
- name: Install UV
2424
uses: astral-sh/setup-uv@v6
2525
with:
26+
version: "0.9.6"
2627
enable-cache: true
2728
cache-dependency-glob: "pyproject.toml"
2829
cache-suffix: ${{ inputs.cache-key-suffix }}
@@ -38,6 +39,10 @@ runs:
3839
shell: bash
3940
run: make generate-pyproject
4041

42+
- name: Upgrade pip to secure version
43+
shell: bash
44+
run: python -m pip install --upgrade pip>=25.3
45+
4146
- name: Install dependencies
4247
if: inputs.install-deps == 'true'
4348
shell: bash

.github/workflows/ci-quality.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,10 @@ on:
2222
- 'mypy.ini'
2323
- '.github/workflows/ci-quality.yml'
2424

25+
permissions:
26+
contents: read
27+
pull-requests: read
28+
2529
env:
2630
AWS_DEFAULT_REGION: us-east-1
2731
AWS_ACCESS_KEY_ID: testing

.github/workflows/ci-tests.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,10 @@ on:
2222
schedule:
2323
- cron: '0 2 * * *'
2424

25+
permissions:
26+
contents: read
27+
pull-requests: read
28+
2529
env:
2630
AWS_DEFAULT_REGION: us-east-1
2731
AWS_ACCESS_KEY_ID: testing

.github/workflows/container-build.yml

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,8 @@ on:
1313
- 'deployment/docker/**'
1414
- 'dev-tools/scripts/container_build.sh'
1515
- '.github/workflows/container-build.yml'
16+
release:
17+
types: [published]
1618
pull_request:
1719
branches: [ main, develop ]
1820
paths:
@@ -22,10 +24,6 @@ on:
2224
- 'deployment/docker/**'
2325
- 'dev-tools/scripts/container_build.sh'
2426
- '.github/workflows/container-build.yml'
25-
issue_comment:
26-
types: [created]
27-
release:
28-
types: [published]
2927
workflow_dispatch:
3028
inputs:
3129
push_images:
@@ -34,6 +32,11 @@ on:
3432
default: false
3533
type: boolean
3634

35+
permissions:
36+
contents: read
37+
packages: write
38+
pull-requests: read
39+
3740
jobs:
3841
config:
3942
name: Configuration

.github/workflows/sbom.yml

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
name: Software Bill of Materials (SBOM)
2+
3+
on:
4+
release:
5+
types: [published]
6+
push:
7+
branches: [main]
8+
paths:
9+
- 'pyproject.toml'
10+
- 'requirements*.txt'
11+
- 'uv.lock'
12+
workflow_dispatch:
13+
14+
permissions:
15+
contents: read
16+
actions: read
17+
18+
jobs:
19+
config:
20+
name: Configuration
21+
uses: ./.github/workflows/shared-config.yml
22+
23+
generate-sbom:
24+
name: Generate SBOM
25+
runs-on: ubuntu-latest
26+
needs: config
27+
28+
steps:
29+
- name: Checkout code
30+
uses: actions/checkout@v6.0.1
31+
32+
- name: Setup Python and UV
33+
uses: ./.github/actions/setup-python-uv
34+
with:
35+
python-version: ${{ needs.config.outputs.default-python-version }}
36+
37+
- name: Generate SBOM
38+
run: |
39+
source .venv/bin/activate
40+
make sbom-generate
41+
42+
- name: Upload SBOM artifacts
43+
uses: actions/upload-artifact@v4
44+
with:
45+
name: sbom-files
46+
path: |
47+
*.spdx.json
48+
*.cyclonedx.json
49+
retention-days: 30

.github/workflows/semantic-release.yml

Lines changed: 1 addition & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,6 @@ permissions:
2828
pull-requests: read
2929
id-token: write
3030
packages: write
31-
actions: write
3231

3332
jobs:
3433
release:
@@ -48,10 +47,6 @@ jobs:
4847
with:
4948
python-version: '3.11'
5049

51-
- name: Get project configuration
52-
id: config
53-
uses: ./.github/actions/get-config
54-
5550
- name: Install semantic-release
5651
run: |
5752
source .venv/bin/activate
@@ -60,8 +55,6 @@ jobs:
6055
- name: Run semantic release
6156
env:
6257
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
63-
REGISTRY: ${{ steps.config.outputs.container-registry }}
64-
IMAGE_NAME: ${{ steps.config.outputs.container-image }}
6558
RELEASE_MODE: ${{ inputs.mode || 'forward' }}
6659
RELEASE_COMMIT: ${{ inputs.commit }}
6760
RELEASE_VERSION: ${{ inputs.version }}
@@ -77,7 +70,7 @@ jobs:
7770
RELEASE_MODE=historical RELEASE_COMMIT=${{ inputs.commit }} RELEASE_VERSION=${{ inputs.version }} semantic-release version
7871
elif [ "${{ inputs.mode }}" = "analysis" ]; then
7972
echo "Running release analysis"
80-
RELEASE_MODE=analysis ./dev-tools/release/orchestrator.sh
73+
RELEASE_MODE=analysis ./dev-tools/release/analyze_rc_readiness.sh
8174
else
8275
echo "Running forward release with semantic-release"
8376
semantic-release version

.github/workflows/suggest-rc.yml

Lines changed: 0 additions & 71 deletions
This file was deleted.

Dockerfile

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,14 +6,22 @@ ARG PACKAGE_NAME_SHORT=orb
66

77
FROM python:${PYTHON_VERSION}-slim
88

9+
# Update system packages to fix security vulnerabilities
10+
RUN apt-get update && \
11+
apt-get upgrade -y && \
12+
apt-get install -y --no-install-recommends \
13+
ca-certificates=20250419 && \
14+
apt-get clean && \
15+
rm -rf /var/lib/apt/lists/*
16+
917
ARG PYTHON_VERSION=3.13
1018
ARG PACKAGE_NAME_SHORT=orb
1119

1220
# Security: Update system packages and install security updates
1321
RUN apt-get update && \
1422
apt-get upgrade -y && \
1523
apt-get install -y --no-install-recommends \
16-
ca-certificates && \
24+
ca-certificates=20250419 && \
1725
apt-get clean && \
1826
rm -rf /var/lib/apt/lists/* && \
1927
# Security: Upgrade setuptools to latest version
@@ -42,7 +50,7 @@ ENV BUILD_DATE="${BUILD_DATE}" \
4250

4351
# Install runtime dependencies and create user in single layer
4452
RUN apt-get update && apt-get install -y --no-install-recommends \
45-
ca-certificates \
53+
ca-certificates=20250419 \
4654
&& rm -rf /var/lib/apt/lists/* \
4755
&& apt-get clean \
4856
&& groupadd -r "${PACKAGE_NAME_SHORT:-orb}" \
Lines changed: 13 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
logger = logging.getLogger(__name__)
1212

1313

14-
def detect_secrets(source_dir: str = "src") -> bool:
14+
def detect_credentials(source_dir: str = "src") -> bool:
1515
"""Detect potential hardcoded secrets in Python files."""
1616

1717
# Pattern to match potential secrets
@@ -36,39 +36,38 @@ def detect_secrets(source_dir: str = "src") -> bool:
3636
logger.error(f"Source directory '{source_dir}' not found")
3737
return False
3838

39-
found_secrets = []
39+
found_issues = []
4040

4141
for py_file in source_path.rglob("*.py"):
4242
try:
4343
with open(py_file, encoding="utf-8") as f:
4444
content = f.read()
4545

4646
for line_num, line in enumerate(content.split("\n"), 1):
47-
matches = secret_pattern.findall(line)
48-
for _match in matches:
47+
# Check if line contains potential secrets without storing the match content
48+
if secret_pattern.search(line):
4949
# Check if this is an exception
5050
if not any(exc in line for exc in exceptions):
51-
found_secrets.append(f"{py_file}:{line_num}: {line.strip()}")
51+
# Store only file path and line number to avoid retaining credential content
52+
found_issues.append((str(py_file), line_num))
5253

5354
except Exception as e:
5455
logger.warning(f"Could not read {py_file}: {e}")
5556

56-
if found_secrets:
57-
logger.error("Potential hardcoded secrets found:")
58-
for secret in found_secrets:
59-
# Security: Don't log the actual secret content, only the location
60-
logger.error(
61-
f" Secret detected at: {secret.split(':')[0] if ':' in secret else 'unknown location'}"
62-
)
57+
if found_issues:
58+
logger.error("Potential hardcoded credentials found:")
59+
for file_path, line_number in found_issues:
60+
# Security: Log only file and line number, never the actual credential content
61+
logger.error(f" Issue detected at: {file_path}:{line_number}")
6362
return False
6463
else:
65-
logger.info("No hardcoded secrets detected")
64+
logger.info("No hardcoded credentials detected")
6665
return True
6766

6867

6968
def main():
7069
"""Main function."""
71-
if not detect_secrets():
70+
if not detect_credentials():
7271
sys.exit(1)
7372
sys.exit(0)
7473

pyproject.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
[build-system]
2-
requires = ["setuptools>=61.0", "wheel"]
2+
requires = ["setuptools>=80.9.0", "wheel"]
33
build-backend = "setuptools.build_meta"
44

55
[project]

0 commit comments

Comments
 (0)