fix: security vulnerabilities and tracking workflow label (#2130)

Signed-off-by: matttrach <matt.trachier@suse.com>

Author: matttrach

.github/ISSUE_TEMPLATE/feature.md

@@ -0,0 +1,21 @@
+---
+name: Request a New Behavior
+about: Something is missing or outdated
+title: '[Feature] '
+labels: 'internal/user'
+assignees: ''
+
+---
+
+### Environment Information
+<!--Please add information on the same line in quotes. Eg. - Terraform version: "v1.13.0" -->
+- Rancher2 Provider version:
+- Rancher version:
+- Infrastructure Provider (AWS/GCP/vSphere/etc):
+
+### Describe the Feature
+
+<!--- 
+Please add relevant Terraform configs or examples so that we can fully understand what you would like.
+Please give us enough information to build an API or project plan.
+--->

.github/workflows/pull_request.yaml

@@ -7,6 +7,8 @@ env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GITHUB_OWNER: ${{ github.repository_owner }}
+  NIX_INSTALL_SHA: de490f61fcbaf9a5cabf2fa621ddb9ef93ad35d9a23a04e7d51b26e092b63691
+  NIX_INSTALL_VERSION: 2.34.4
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -26,7 +28,10 @@ jobs:
           fetch-depth: 0
       - name: install-nix
         run: |
-          curl -L https://nixos.org/nix/install | sh
+          curl -L -o install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install"
+          echo "${NIX_INSTALL_SHA} install.sh" | sha256sum -c -
+          chmod +x install.sh
+          ./install.sh
           source /home/runner/.nix-profile/etc/profile.d/nix.sh
           nix --version
           which nix
@@ -43,7 +48,10 @@ jobs:
           fetch-depth: 0
       - name: install-nix
         run: |
-          curl -L https://nixos.org/nix/install | sh
+          curl -L -o install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install"
+          echo "${NIX_INSTALL_SHA} install.sh" | sha256sum -c -
+          chmod +x install.sh
+          ./install.sh
           source /home/runner/.nix-profile/etc/profile.d/nix.sh
           nix --version
           which nix
@@ -62,7 +70,10 @@ jobs:
           fetch-depth: 0
       - name: install-nix
         run: |
-          curl -L https://nixos.org/nix/install | sh
+          curl -L -o install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install"
+          echo "${NIX_INSTALL_SHA} install.sh" | sha256sum -c -
+          chmod +x install.sh
+          ./install.sh
           source /home/runner/.nix-profile/etc/profile.d/nix.sh
           nix --version
           which nix
@@ -79,7 +90,10 @@ jobs:
           fetch-depth: 0
       - name: install-nix
         run: |
-          curl -L https://nixos.org/nix/install | sh
+          curl -L -o install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install"
+          echo "${NIX_INSTALL_SHA} install.sh" | sha256sum -c -
+          chmod +x install.sh
+          ./install.sh
           source /home/runner/.nix-profile/etc/profile.d/nix.sh
           nix --version
           which nix
@@ -100,7 +114,10 @@ jobs:
           fetch-depth: 0
       - name: install-nix
         run: |
-          curl -L https://nixos.org/nix/install | sh
+          curl -L -o install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install"
+          echo "${NIX_INSTALL_SHA} install.sh" | sha256sum -c -
+          chmod +x install.sh
+          ./install.sh
           source /home/runner/.nix-profile/etc/profile.d/nix.sh
           nix --version
           which nix
@@ -118,7 +135,10 @@ jobs:
           fetch-depth: 0
       - name: install-nix
         run: |
-          curl -L https://nixos.org/nix/install | sh
+          curl -L -o install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install"
+          echo "${NIX_INSTALL_SHA} install.sh" | sha256sum -c -
+          chmod +x install.sh
+          ./install.sh
           source /home/runner/.nix-profile/etc/profile.d/nix.sh
           nix --version
           which nix
@@ -138,7 +158,10 @@ jobs:
           fetch-depth: 0
       - name: install-nix
         run: |
-          curl -L https://nixos.org/nix/install | sh
+          curl -L -o install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install"
+          echo "${NIX_INSTALL_SHA} install.sh" | sha256sum -c -
+          chmod +x install.sh
+          ./install.sh
           source /home/runner/.nix-profile/etc/profile.d/nix.sh
           nix --version
           which nix
@@ -224,7 +247,10 @@ jobs:
           fetch-depth: 0
       - name: install-nix
         run: |
-          curl -L https://nixos.org/nix/install | sh
+          curl -L -o install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install"
+          echo "${NIX_INSTALL_SHA} install.sh" | sha256sum -c -
+          chmod +x install.sh
+          ./install.sh
           source /home/runner/.nix-profile/etc/profile.d/nix.sh
           nix --version
           which nix

.github/workflows/release.yml

@@ -10,6 +10,8 @@ env:
   AWS_ROLE: arn:aws:iam::270074865685:role/terraform-module-ci-test
   GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
   ALL_TESTS_JSON: '["TestOneBasic","TestThreeBasic","TestProductionBasic"]'
+  NIX_INSTALL_SHA: de490f61fcbaf9a5cabf2fa621ddb9ef93ad35d9a23a04e7d51b26e092b63691
+  NIX_INSTALL_VERSION: 2.34.4
 
 permissions:
   contents: write
@@ -96,7 +98,13 @@ jobs:
             await script({ core });
       - name: Get IP
         id: get-ip
-        run: echo "ip=$(curl -s https://ipinfo.io/ip)" >> "$GITHUB_OUTPUT"
+        run: |
+          IP=$(curl -s https://ipinfo.io/ip)
+          if ! [[ "$IP" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+            echo "Error: Invalid IP address format: $IP" >&2
+            exit 1
+          fi
+          echo "ip=$IP" >> "$GITHUB_OUTPUT"
       # artifacts are available to other jobs as soon as the step completes
       # unlike job outputs which are only available after the job completes
       # this artifact is a placeholder only, it has no content
@@ -163,7 +171,10 @@ jobs:
       - name: install-nix
         if: (steps.check-lock.outputs.status == 'clean' && steps.check-ip.outputs.status == 'clean') || strategy.job-index == 0
         run: |
-          curl -L https://nixos.org/nix/install | sh
+          curl -L -o install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install"
+          echo "${NIX_INSTALL_SHA} install.sh" | sha256sum -c -
+          chmod +x install.sh
+          ./install.sh
           source /home/runner/.nix-profile/etc/profile.d/nix.sh
           nix --version
           which nix
@@ -256,7 +267,10 @@ jobs:
           output-credentials: true
       - name: install-nix
         run: |
-          curl -L https://nixos.org/nix/install | sh
+          curl -L -o install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install"
+          echo "${NIX_INSTALL_SHA} install.sh" | sha256sum -c -
+          chmod +x install.sh
+          ./install.sh
           source /home/runner/.nix-profile/etc/profile.d/nix.sh
           nix --version
           which nix

.github/workflows/scripts/tracking-issue.js

@@ -41,7 +41,7 @@ export default async ({ github, core, process }) => {
     let pulls;
     try {
       pulls = await github.paginate(github.rest.search.issuesAndPullRequests, {
-        q: `repo:${owner}/${repo} is:pr state:open base:main -draft:true -label:internal/pr-tracked -label:internal/pr-backport -label:"autorelease: pending" -label:"autorelease: tagged"`
+        q: `repo:${owner}/${repo} is:pr state:open base:main -draft:true -label:internal/ignore -label:internal/pr-backport -label:"autorelease: pending" -label:"autorelease: tagged"`
       });
     } catch (error) {
       throw new Error(`Failed to retrieve pull requests for tracking issue: ${error.message}`);
@@ -76,12 +76,7 @@ export default async ({ github, core, process }) => {
         });
 
         if (existingIssues.length > 0) {
-          await github.rest.issues.addLabels({
-            owner: owner,
-            repo: repo,
-            issue_number: pr.number,
-            labels: ["internal/pr-tracked"]
-          });
+          // Note: You can't add labels to PRs submitted from forks.
           core.info(`Tracking issue already exists for PR #${pr.number}. Skipping.`);
           continue;
         }
@@ -132,12 +127,7 @@ export default async ({ github, core, process }) => {
           }
         });
 
-        await github.rest.issues.addLabels({
-          owner: owner,
-          repo: repo,
-          issue_number: pr.number,
-          labels: ["internal/pr-tracked"]
-        });
+        // Note: Labels can't be added to PRs from forks
       } catch (error) {
         errors.push(`Failed to process PR [${pr.number}](${pr.html_url}): ${error.message}`);
       }

.variables

@@ -1,6 +1,10 @@
-#!/bin/env sh
+#!/usr/bin/env bash
 export TF_IN_AUTOMATION=1
 TF_VAR_ip="$(curl -s 'https://api.ipify.org')"
+if ! [[ "$TF_VAR_ip" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+  echo "Error: Invalid IP address format: $IP" >&2
+  exit 1
+fi
 export TF_VAR_ip
 export ACME_SERVER_URL="https://acme-v02.api.letsencrypt.org/directory"
 # shellcheck disable=SC2140

GNUmakefile

@@ -1,4 +1,4 @@
-default: fmt lint build install generate test testacc
+default: fmt lint build generate test testacc
 
 fmt:
 	gofmt -s -w -e .
@@ -10,9 +10,6 @@ build:
 	rm -f ./bin/terraform-provider-rancher2
 	go build -o ./bin/ -v ./...
 
-install:
-	go install -v ./...
-
 generate:
 	cd tools; go generate ./...