Check if mise is getting the github token

Remove version comments from steps Rename some workflows and steps to clarify what they do.
sarg3nt · Oct 30, 2024 · 23cb77e · 23cb77e
1 parent 2dac1f4
commit 23cb77e
Show file tree

Hide file tree

Showing 6 changed files with 109 additions and 66 deletions.
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -17,11 +17,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
         with:
           egress-policy: audit
 
       - name: 'Checkout Repository'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0
+        uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a
diff --git a/.github/workflows/periodic-release.yml → .github/workflows/release-weekly.yml b/.github/workflows/periodic-release.yml → .github/workflows/release-weekly.yml
@@ -1,4 +1,4 @@
-name: Periodic Release
+name: Weekly Release Build and Push
 
 on:
   schedule:
@@ -18,28 +18,24 @@ env:
 permissions: read-all
 
 jobs:
-  release:
+  release-build-and-push:
     runs-on: ubuntu-latest
     permissions:
       contents: write
       packages: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
+        with:
+          egress-policy: audit
+
       - name: 'Checkout Repository'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
           fetch-tags: true
 
-      - name: Extract Docker metadata
-        id: meta
-        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-
+      # Must generate the tag version manually becuase scheduled workflows do not have access to ref: refs/tags/v1.0.0
       - name: Get the latest tag version
         id: get_version
         run: |
@@ -72,38 +68,33 @@ jobs:
             new_version="v${major}.${minor}.${new_patch}"
             echo "New Version: $new_version"
             echo "VERSION=$new_version" >> $GITHUB_ENV
-            echo "tags from docker metadata: ${{ steps.meta.outputs.tags }}"
           else
             echo "Could not determine the latest tag version."
             exit 1
           fi
 
       # Docs: https://github.com/marketplace/actions/create-release
-      # - name: 'Create Release'
-      #   id: create_release
-      #   uses: ncipollo/release-action@v1
-      #   with:
-      #     body: "A Weekly release contianing upgrades to system packages in the base Rocker Linux container."
-      #     makeLatest: true
-      #     prerelease: false
-      #     tag: ${{ env.VERSION }}
-
-      # - name: Harden Runner
-      #   uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
-      #   with:
-      #     egress-policy: audit
+      - name: 'Create Release'
+        id: create_release
+        uses: ncipollo/release-action@v1
+        with:
+          body: "A Weekly release contianing upgrades to system packages in the base Rocker Linux container."
+          makeLatest: true
+          prerelease: false
+          tag: ${{ env.VERSION }}
 
-      # - name: Log into registry
-      #   uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-      #   with:
-      #     registry: ${{ env.REGISTRY }}
-      #     username: ${{ github.actor }}
-      #     password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Log into registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
-      # - name: Build and push Docker image
-      #   uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
-      #   with:
-      #     push: true
-      #     tags: ${{ env.TAG_MAJOR }},${{ env.TAG_MINOR }},${{ env.TAG_PATCH }},${{ env.TAG_LATEST }}
-      #   env: 
-      #     GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push Docker image
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+        with:
+          push: true
+          tags: ${{ env.TAG_MAJOR }},${{ env.TAG_MINOR }},${{ env.TAG_PATCH }},${{ env.TAG_LATEST }}
+        env: 
+          GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,4 +1,4 @@
-name: Release
+name: Release Build and Push
 
 on:
   push:
@@ -12,34 +12,79 @@ permissions:
   contents: read
 
 jobs:
-  release-docker-image:
+  build-and-push:
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            auth.docker.io:443
+            cdn.dl.k8s.io:443
+            codecs.fedoraproject.org:443
+            distro.ibiblio.org:80
+            dl.google.com:443
+            dl.k8s.io:443
+            download.docker.com:443
+            epel.mirror.shastacoe.net:443
+            ftp-nyc.osuosl.org:443
+            ftp.agdsn.de:80
+            ftp.fau.de:80
+            ftp.halifax.rwth-aachen.de:443
+            ftp.plusline.net:443
+            get.helm.sh:443
+            ghcr.io:443
+            github.com:443
+            gitlab.com:443
+            mirror.chpc.utah.edu:80
+            mirror.informatik.hs-fulda.de:443
+            mirror.rnet.missouri.edu:80
+            mirror.siena.edu:80
+            mirror1.hs-esslingen.de:443
+            mirrors.fedoraproject.org:443
+            mirrors.rit.edu:80
+            mirrors.rockylinux.org:443
+            mirrors.xtom.de:80
+            mise-versions.jdx.dev:80
+            mise.jdx.dev:80
+            objects.githubusercontent.com:443
+            ohioix.mm.fcix.net:80
+            pkg-containers.githubusercontent.com:443
+            production.cloudflare.docker.com:443
+            proxy.golang.org:443
+            raw.githubusercontent.com:443
+            registry-1.docker.io:443
+            repo.ialab.dsu.edu:80
+            rocky-linux-europe-west3.production.gcp.mirrors.ctrliq.cloud:443
+            rocky.mirror.shastacoe.net:443
+            sftp.hpc.fau.edu:443
+            sum.golang.org:443
+            us.mirrors.cicku.me:443
+            volico.mm.fcix.net:80
 
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
           fetch-tags: true
 
       - name: Log into registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
@@ -48,7 +93,7 @@ jobs:
             type=semver,pattern={{major}}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75
         with:
           context: .
           push: true

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -32,17 +32,17 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
         with:
           egress-policy: audit
 
       - name: "Checkout code"
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46
         with:
           results_file: results.sarif
           results_format: sarif
@@ -64,7 +64,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v3.pre.node20
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882
         with:
           name: SARIF file
           path: results.sarif
@@ -73,6 +73,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -30,23 +30,23 @@ jobs:
     name: Build
     runs-on: "ubuntu-20.04"
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
+        with:
+          egress-policy: audit
+
       - name: Log into registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
-        with:
-          egress-policy: audit
 
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Build Docker image
-        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75
         with:
           push: false
           tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
@@ -66,7 +66,7 @@ jobs:
           ENV TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd
         with:
           sarif_file: 'trivy-results.sarif'
 
@@ -89,4 +89,4 @@ jobs:
         with:
           name: trivy-sbom-report
           path: '${{ github.workspace }}/dependency-results.sbom.json'
-          retention-days: 20 # 90 is the default
+          retention-days: 30 # 90 is the default
diff --git a/scripts/30_install_mise_packages.sh b/scripts/30_install_mise_packages.sh
@@ -13,6 +13,12 @@ main() {
   log "Configuring mise" "green"
   export PATH="$HOME/.local/share/mise/shims:$HOME/.local/bin/:$PATH"
 
+  if [[ -n "${GITHUB_API_TOKEN:-}" ]]; then
+    log "GITHUB_API_TOKEN found" "green"
+  else
+    log "GITHUB_API_TOKEN not found" "yellow"
+  fi
+
   log "Mise version" "green"
   mise version