Push directly to ironbank from github actions #6448
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
…nk unless i do an interactive login session which is not possible in this ci setting Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
…g the issue Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
Amndeep7
changed the title
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
…s so that maybe the shell expansion happens Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
…anch name, added the directive to delete the branch on merge, and am trying everything on the minimal set of perms again Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
…e in heimdall server release Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
Amndeep7
changed the title
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
…hardcoded in Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
|
em-c-rod
reviewed
Jan 6, 2025
| sed -i s/HEIMDALL_VERSION=\.\*/HEIMDALL_VERSION=${{ steps.format-tag.outputs.replaced }}/ Dockerfile | ||
| git diff | ||
| git add hardening_manifest.yaml Dockerfile | ||
| git -c "user.name=Automated Heimdall Release" -c "user.email=saf@groups.mitre.org" commit -s -m "Updating Heimdall to ${{ steps.format-tag.outputs.replaced }}" |
There was a problem hiding this comment.
Do you still want to change the user.email? Using saf@groups.mitre.org seems appropriate to me.
em-c-rod
reviewed
Jan 6, 2025
| @@ -9,18 +9,27 @@ on: | |||
| description: 'Version' | |||
| required: true | |||
|
|
|||
| env: | |||
| IRONBANK_HEIMDALL_PROJECT_ID: 5450 # this is for heimdall (non mainline) - I think these can be in-line envs instead of supplied by github repo/org level secrets/values since each push/release workflow will have a unique ironbank id due to the mainline vs release + heimdalllite vs heimdall matrix | |||
There was a problem hiding this comment.
I'm not fully following this comment. Why is it a set number id each release workflow ironbank id is unique? If you give me some more clarity on this, we can wordsmith this comment a bit.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pr has what is necessary to skip the sophos factory step and directly push to ironbank with as close an analogue to what we were doing in there as possible. Key differences are the variables and directly hitting the api instead of using the cli tool.
I was able to develop a proof of concept using the heimdall lite 'mainline' workflow to show that we can successfully create issues, branches, and MRs with the correct type of changes on Iron Bank. You can see that from commits before 32fe35f and comparing them to the issues/branches/MRs that were created (and closed) in the ironbank repo: https://repo1.dso.mil/dsop/mitre/security-automation-framework/heimdall2.
Work to do:
user.emailwith the email of the person doing the release instead of hardcoding in my email