Skip to content

**FINAL REMINDER****IMPORTANT** **ACTION REQUIRED** Migration of ubuntu-latest label to platform-eng-ent-v2-dual #110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 83 commits into
base: main
Choose a base branch
from
Open

**FINAL REMINDER****IMPORTANT** **ACTION REQUIRED** Migration of ubuntu-latest label to platform-eng-ent-v2-dual #110

wants to merge 83 commits into from

Conversation

zodilib
Copy link
Contributor

@zodilib zodilib commented Apr 3, 2025

Automated PR: This PR updates ubuntu-latest runner labels to platform-eng-ent-v2-dual. Migration Deadline is 3rd April 2025

thepoppingone and others added 30 commits February 9, 2023 14:16
@thepoppingone
use self hosted runner on platform for testing (#33)
b30f5f7 
* use self hosted runner on platform for testing

* add nodejs setup

* set all 3 stages to self hosted agent

* add to github runner setup

* Update terraform.yaml

* set precommit cache

* add name to precommit cache

* remove terraform locking

* skip more hooks

* remove validate skip

* protect label name and enable self hosted runner by default

* remove setup correct runner flag

* test literal

* try double quotes

* test setup runner

* test

* set runner label via secrets

* set to env var

* harcode test

* remove secrets add inputs

* fix actionlint

---------

Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>
@thepoppingone
Update README.md
f32fed8
@thepoppingone
Upgrade tfsec sarif action to silence warning set outputs (#34)
0ae6396 
Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>
@thepoppingone
remove token input (#35)
871f0d8 
Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>
@thepoppingone
Update README.md
84c3e02
@thepoppingone
Allow usage of both self-hosted and cloud runners on v2 (#38)
5bc9925 
* test public

* test default label

* test self hosted

* test without runner label

* default is ubuntu

* test labels

* add examples

---------

Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>
@thepoppingone
Make main branch the main branch again and do proper tagging from here (
5c9d5f7 
#39)

Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>
@thepoppingone
add dockerhub token (#41)
34412a4 
Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>
@thepoppingone
Only run docker login if credentials are provided via secrets (#42)
3ec6b4b 
* Allow docker login to fail as not all have credentials

* only user dockerhub login if its not null creds

* check both creds

* set correct token

* update README

---------

Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>
@lawliet89 @thepoppingone
Cache TFLint plugins and use authenticated API calls (#43)
741596b 
* fix warnings (#36)

Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>

* update python action (#37)

Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>

* Cache TFLint plugins and use authenticated API calls

- https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
- Caching example: https://github.com/terraform-linters/setup-tflint#usage

* Use target

* Runner OS

---------

Co-authored-by: Poh Peng Ric Wang <7760361+thepoppingone@users.noreply.github.com>
Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>
@thepoppingone
Refactor to run only against changed files (#44)
ad13f46 
* refactor to run only against changed files

* update tflint side

* add inputs

* Remove cron workflow

---------

Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>
@thepoppingone
Fix merge group (#45)
4471457 
Forcing in to test the merge group fix in cloud config
* test merge event

* update ref

* use base ref

* update to new keywords of Github to fix merge group checks failing

---------

Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>
@thepoppingone
Remove mistaken all files (#46)
52ffd70 
Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>
@thepoppingone
revert to working copy (#48)
82c54b2 
Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>
@thepoppingone
Allow pre-commit checks run during PRs and Merge Group event to be ju…
5bad83e 
…st diffs (#50)

Force merge to do live-testing in cloud config

* rebase

* test workflow trigger for PR, MG and main

* fix missing condition

* add condition for checking event

* test main github sha env var

* add in for linting

* refactor for merge queue

---------

Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>
@thepoppingone
Update terraform.yaml (#51)
a14460c 
urgent fix
@thepoppingone
Fix fork PR errors (#52)
d2e00db 
* test fork pr

* test expression

* add forktest

* sort out spacing

---------

Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>

merging for monitoring v2 in production
@thepoppingone
Update fortify-android.yaml
3c18343
@thepoppingone
Add check for self hosted runners to install nodejs (#53)
fe249b9 
* Update terraform.yaml

* Update terraform.yaml

* Update terraform.yaml

* Update terraform.yaml
@thepoppingone
Fix TF lint need node requirement for self hosted runners
9a6ef51
@thepoppingone
Skip tflint errors by default
cc8b1c5
@thepoppingone
new flag to make sure precommit skipping for changed files are enforced
ba509bf
@thepoppingone
Update terraform.yaml
ba588bd
@lawliet89
Add pre-init hook for linting step too
98d06d3
@thepoppingone
Update terraform.yaml
9217084
@thepoppingone
Update terraform.yaml
f1043e8
@thepoppingone
use updated secrets for android repo
91b3abd
@thepoppingone
Remove actionlint yaml file
6a3537d
@thepoppingone
fix secret declaration
7831e2f
@anuborah @thepoppingone
Add trivy scan (#54)
1d9a549 
* fix warnings (#36)

Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>

* update python action (#37)

Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>

* Added Reusable Workflow for Trivy Scan for ECS/Docker Container

* Fix the precommit formatting

* Fixing the double quotes issue

---------

Co-authored-by: Poh Peng Ric Wang <7760361+thepoppingone@users.noreply.github.com>
Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>
thepoppingone and others added 24 commits October 5, 2023 14:38
@thepoppingone
Temp force fix for terraform crash error
82b4aca
@thepoppingone
force pin TF to 1.5.7
676da8c
@github-actions @thepoppingone
chore: update pre-commit hooks (#77)
039b92e 
Co-authored-by: thepoppingone <thepoppingone@users.noreply.github.com>
@thepoppingone
Update autoupdate-pre-commit.yaml
5b37482
@thepoppingone
Add trivy scan to replace tfsec (#78)
fefbeec 
* Add trivy scan for testing

* update output format

* Use 0.13.0

* use version

* version lock trivy action

* use 0.12.0

* upload results

* Test with sed

* Update terraform.yaml

* Update terraform.yaml

---------

Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>
@thepoppingone
Remove duplicate tfsec (#80)
071d6fd
@thepoppingone
use latest TF version (#81)
d943fb7
@thepoppingone
patch last tf version
2eb3035
@sphmuthuraman
Update aqua-security.yaml (#83)
10494e2
@smoneyan
PFMENG-1806 : Add option to skip framework in checkov (#84)
539dbf7 
* Add option to skip framework in checkov

* Fix space

---------

Co-authored-by: “Subramanian <“smoneyan@gmail.com”>
@smoneyan
PFMENG-1807 : Use checkov diff & Upgrade actions (#85)
ff3fcb1 
* Upload checkov SARIF

* Change trivy sarif to v3 as well

* Upgrade version

* Update helm

* disable trivy

* continue on error

* Remove condition

* Add soft fail as true

* Add files changed

* Add Trivy back

* Remove continue on error

---------

Co-authored-by: “Subramanian <“smoneyan@gmail.com”>
@zodilib @niroz89
disable trivy sarif upload (#86)
e2027d8 
* disable sarif upload

* disable sarif upload

* change exit-code

---------

Co-authored-by: niroz89 <niro@sph.com.sg>
@zodilib
Fix trivy scan and update (#88)
40f81b0 
* fix trivy scan and update

* fix trivy scan and update
@zodilib
revert fs to config and remove exit-code (#93)
17f7082
@smoneyan
Add CKV_TF_2 to the default ignored list in checkov (#94)
94d66a1 
Co-authored-by: “Subramanian <“smoneyan@gmail.com”>
@wayne-root
Bump tflint ver (#96)
2888843
@zodilib
update trivy (#97)
5b1c150
@paul-ylz
[CIRDEVOPS-2553] Adds parameters to debug trivy issues (#99)
71451b5 
* [CIRDEVOPS-2553] parameterize trivy output format

* [CIRDEVOPS-2553] parameterize trivy output filename

* [CIRDEVOPS-2553] parameterize trivy output filename [1]

* [CIRDEVOPS-2553] Add parameter to inspect trivy output

* [CIRDEVOPS-2553] When trivy inspect is on, upload result as an artifact
@uchinda-sph
update GitHub Security Alerts for JIRA workflow (#103)
2880814 
* update GitHub Security Alerts for JIRA workflow

* Update the workflow versions
@zodilib
switch to enable only format and validate (#105)
1eb4e7e 
* switch to enable only format and validate

* add switch to select format, lint or security

* add switch to select format, lint or security

* add switch to select format, lint or security
@zodilib
[PFMENG-2716] fix v2 for dualstack
e096b31
@paul-ylz
[PFMENG-2854] Use enterprise runner for newrelic deployment marker job (
7f32b91 
#107)

* [PFMENG-2854] Use enterprise runner for newrelic deployment market job

* [PFMENG-2854] Configures actionlint to allow custom runner label
@smoneyan
Replace tj-actions with step-security (#109)
868107a 
Co-authored-by: “Subramanian <“smoneyan@gmail.com”>
@zodilib
[PFMENG-2831] migrate ubuntu-latest to gha dualstack runners
72a3f49
@zodilib zodilib requested a review from a team as a code owner April 3, 2025 08:00
@zodilib zodilib requested review from paul-ylz, sturdek and balajimoses and removed request for a team April 3, 2025 08:00
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 3, 2025
View reviewed changes
.github/workflows/newrelic-deployment.yaml
with:
apiKey: ${{ secrets.NEW_RELIC_API_KEY }}
region: "US"
guid: ${{ secrets[format('NEW_RELIC_DEPLOYMENT_ENTITY_GUID_{0}', inputs.app_name )] }}

Check warning

Code scanning / CodeQL

Excessive Secrets Exposure Medium

All organization and repository secrets are passed to the workflow runner in
secrets[format('NEW_RELIC_DEPLOYMENT_ENTITY_GUID_{0}', inputs.app_name )]
Loading

Copilot Autofix

AI about 2 months ago

To fix the problem, we need to avoid using dynamic secret access patterns and instead explicitly specify the secrets required for each possible value of inputs.app_name. This can be achieved by using conditional statements to set the appropriate secret based on the value of inputs.app_name.

  • Replace the dynamic secret access pattern with explicit secret references.
  • Use conditional statements to set the correct secret based on the value of inputs.app_name.
  • Ensure that only the necessary secrets are passed to the workflow runner.
Suggested changeset 1
.github/workflows/newrelic-deployment.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/newrelic-deployment.yaml b/.github/workflows/newrelic-deployment.yaml
--- a/.github/workflows/newrelic-deployment.yaml
+++ b/.github/workflows/newrelic-deployment.yaml
@@ -58,3 +58,3 @@
             region: "US"
-            guid: ${{ secrets[format('NEW_RELIC_DEPLOYMENT_ENTITY_GUID_{0}', inputs.app_name )] }}
+            guid: ${{ inputs.app_name == 'APP1' && secrets.NEW_RELIC_DEPLOYMENT_ENTITY_GUID_APP1 || inputs.app_name == 'APP2' && secrets.NEW_RELIC_DEPLOYMENT_ENTITY_GUID_APP2 || inputs.app_name == 'APP3' && secrets.NEW_RELIC_DEPLOYMENT_ENTITY_GUID_APP3 }}
             version: "${{ inputs.version }}"
EOF
@@ -58,3 +58,3 @@
region: "US"
guid: ${{ secrets[format('NEW_RELIC_DEPLOYMENT_ENTITY_GUID_{0}', inputs.app_name )] }}
guid: ${{ inputs.app_name == 'APP1' && secrets.NEW_RELIC_DEPLOYMENT_ENTITY_GUID_APP1 || inputs.app_name == 'APP2' && secrets.NEW_RELIC_DEPLOYMENT_ENTITY_GUID_APP2 || inputs.app_name == 'APP3' && secrets.NEW_RELIC_DEPLOYMENT_ENTITY_GUID_APP3 }}
version: "${{ inputs.version }}"
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paul-ylz paul-ylz Awaiting requested review from paul-ylz paul-ylz is a code owner automatically assigned from SPHTech-Platform/platform-engineering

@sturdek sturdek Awaiting requested review from sturdek sturdek is a code owner automatically assigned from SPHTech-Platform/platform-engineering

@balajimoses balajimoses Awaiting requested review from balajimoses balajimoses is a code owner automatically assigned from SPHTech-Platform/platform-engineering

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.