Unstable alignment #495
Unstable alignment #495
Conversation
- Update REDIS_DOWNLOAD_URL to use official Redis 8.2.1 release - Update REDIS_DOWNLOAD_SHA to e2c1cb9dd4180a35b943b85dfc7dcdd42566cdbceca37d0d0b14c21731582d3e
Update to recent RedisVersion with fixes in sorting and comparison Add mixed format tests for mixed use-case, e.g. when 8.4.0 is ga and 8.4-rc1 is rc.
Fix stackbrew generation when 8.X and 8.X.Y formats are mixed toghether
…ment Add release automation to unstable branch
- Added build args in dockerfile for moduels and redis version - Added custom_build input to use in dockerfile and build-and-tag-locally - Created test workflow to run unsable build
- Support custom, unstable, nightly and release - Added changes to release_build_and_test
- pull-request.yml workflow for PR for unstable and release branches - renamed custom_build to custom_ref_type - renamed pre-merge to build-n-test - removed nightly test workflow
![jit-ci[bot]](https://avatars.githubusercontent.com/in/142441?s=60&v=4){kind=small}
There was a problem hiding this comment.
❌ Jit has detected 15 important findings in this PR that you should review.
The first 10 findings are detailed below as separate comments.
Click here to view all the findings on Jit.
It’s highly recommended that you fix these security issues before merging.
Alternatively, comment #jit_ignore_all in this PR to ignore all findings. Admin privileges required.
Repository Risks:
- Database Integration: Connects to a database, often involving sensitive data that must be securely managed.
- Internally Accessible: Accessible only within the internal network, reducing exposure to external threats but still requiring proper controls.
- High Severity Findings: Indicates that the resource has high severity security findings that need attention.
Repository Context:
graph LR
GitHub$Repository_U23_redis/docker_U2D_library_U2D_redis["GitHub Repository<br/>redis/docker-library-redis"]:::GitHub$Repository
Team_U23_client_U2D_developers["Team<br/>client-developers"]:::Team
Team_U23_core_U2D_team["Team<br/>core-team"]:::Team
Team_U23_redis_U2D_packaging_U2D_admins["Team<br/>redis-packaging-admins"]:::Team
DBIntegration_U23_redis["DBIntegration<br/>redis"]:::DBIntegration
Docker$Image_U23_redis["Docker Image<br/>redis"]:::Docker$Image
Team_U23_client_U2D_developers -- "Owns" --> GitHub$Repository_U23_redis/docker_U2D_library_U2D_redis
Team_U23_core_U2D_team -- "Owns" --> GitHub$Repository_U23_redis/docker_U2D_library_U2D_redis
Team_U23_redis_U2D_packaging_U2D_admins -- "Owns" --> GitHub$Repository_U23_redis/docker_U2D_library_U2D_redis
GitHub$Repository_U23_redis/docker_U2D_library_U2D_redis -- "Is accessible to" --> DBIntegration_U23_redis
GitHub$Repository_U23_redis/docker_U2D_library_U2D_redis -- "Builds" --> Docker$Image_U23_redis
| # Set outputs for next steps | ||
| echo "release_commit_sha=$RELEASE_COMMIT_SHA" >> $GITHUB_OUTPUT | ||
| echo "release_version=$RELEASE_VERSION" >> $GITHUB_OUTPUT | ||
There was a problem hiding this comment.
Security control: Static Code Analysis Semgrep Pro
Yaml.Github-Actions.Security.Run-Shell-Injection.Run-Shell-Injection
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "yaml.github-actions.security.run-shell-injection.run-shell-injection" in .github/workflows/release_publish.yml; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| "${{ inputs.distribution }}" \ | ||
| "${{ steps.platform.outputs.display_name }}" \ | ||
| | tr '[:upper:]' '[:lower:]' >> "$GITHUB_OUTPUT" | ||
There was a problem hiding this comment.
Security control: Static Code Analysis Semgrep Pro
Yaml.Github-Actions.Security.Run-Shell-Injection.Run-Shell-Injection
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "yaml.github-actions.security.run-shell-injection.run-shell-injection" in .github/actions/build-and-tag-locally/action.yml; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| echo "\`\`\`" >> $GITHUB_STEP_SUMMARY | ||
| else | ||
| echo "ℹ️ **Image built locally only (not pushed)**" >> $GITHUB_STEP_SUMMARY | ||
| fi |
There was a problem hiding this comment.
Security control: Static Code Analysis Semgrep Pro
Yaml.Github-Actions.Security.Run-Shell-Injection.Run-Shell-Injection
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "yaml.github-actions.security.run-shell-injection.run-shell-injection" in .github/workflows/build_release_automation.yml; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| if [ -z "${{ inputs.redistimeseries_version }}" ]; then | ||
| echo redistimeseries_version=$(get_module_version redistimeseries) >> $GITHUB_ENV | ||
| fi | ||
There was a problem hiding this comment.
Security control: Static Code Analysis Semgrep Pro
Yaml.Github-Actions.Security.Run-Shell-Injection.Run-Shell-Injection
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "yaml.github-actions.security.run-shell-injection.run-shell-injection" in .github/actions/create-image-labels/action.yml; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| . ${GITHUB_WORKSPACE}/.github/actions/common/func.sh | ||
| slack_format_failure_message "Docker Build failed for Redis: ${{ inputs.release_tag || 'unknown'}}" "$workflow_url" "$footer" \ | ||
| | curl -s --fail-with-body -d@- "${{ secrets.SLACK_WEB_HOOK_URL }}" No newline at end of file |
There was a problem hiding this comment.
Security control: Static Code Analysis Semgrep Pro
Yaml.Github-Actions.Security.Run-Shell-Injection.Run-Shell-Injection
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "yaml.github-actions.security.run-shell-injection.run-shell-injection" in .github/workflows/build-n-test.yml; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| echo "Wrong custom_build type, available options are tag, branch and commit" | ||
| exit 1 | ||
| fi | ||
There was a problem hiding this comment.
Security control: Static Code Analysis Semgrep Pro
Yaml.Github-Actions.Security.Run-Shell-Injection.Run-Shell-Injection
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "yaml.github-actions.security.run-shell-injection.run-shell-injection" in .github/actions/build-and-tag-locally/action.yml; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| ENV PATH="/release-automation/.venv/bin:${PATH}" | ||
|
|
||
| ENTRYPOINT ["release-automation"] | ||
| CMD ["--help"] |
There was a problem hiding this comment.
Security control: Static Code Analysis Semgrep Pro
Dockerfile.Security.Missing-User.Missing-User
By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "dockerfile.security.missing-user.missing-user" in release-automation/docker/Dockerfile; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| else | ||
| echo "Image not published for this platform/distribution combination" | ||
| fi | ||
There was a problem hiding this comment.
Security control: Static Code Analysis Semgrep Pro
Yaml.Github-Actions.Security.Run-Shell-Injection.Run-Shell-Injection
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "yaml.github-actions.security.run-shell-injection.run-shell-injection" in .github/actions/build-and-tag-locally/action.yml; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| shell: bash | ||
| run: | | ||
| ${{ github.action_path }}/apply-docker-version.sh ${{ inputs.release_tag }} | ||
There was a problem hiding this comment.
Security control: Static Code Analysis Semgrep Pro
Yaml.Github-Actions.Security.Run-Shell-Injection.Run-Shell-Injection
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "yaml.github-actions.security.run-shell-injection.run-shell-injection" in .github/actions/apply-docker-version/action.yml; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| echo "Created result.json for release_handle:" | ||
| cat result.json | ||
There was a problem hiding this comment.
Security control: Static Code Analysis Semgrep Pro
Yaml.Github-Actions.Security.Run-Shell-Injection.Run-Shell-Injection
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "yaml.github-actions.security.run-shell-injection.run-shell-injection" in .github/workflows/release_build_and_test.yml; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
5 participants
Aligning unstable with release automation