feat: INFRA-162 asbench add rpm deb packages #114
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| strategy: | ||
| matrix: | ||
| os: [macos-13, macos-14, macos-15] | ||
| # ev-lib: ["", libev, libuv, libevent] | ||
| ev-lib: [libuv] | ||
| include: | ||
| - os: macos-13 | ||
| openssl-path: /usr/local/opt/openssl | ||
| ev-path: /usr/local | ||
| - os: macos-14 | ||
| openssl-path: /opt/homebrew/opt/openssl | ||
| ev-path: /opt/homebrew | ||
| - os: macos-15 | ||
| openssl-path: /opt/homebrew/opt/openssl | ||
| ev-path: /opt/homebrew | ||
| runs-on: ${{ matrix.os }} | ||
| env: | ||
| LIBYAML_VERSION: 0.2.5 | ||
| steps: | ||
| - name: Get checkout directory | ||
| uses: haya14busa/action-cond@v1 | ||
| id: checkout-dir | ||
| with: | ||
| cond: ${{ inputs.submodule != '' }} | ||
| if_true: aerospike-tools # In this case we are expecting to checkout the tools package. | ||
| if_false: asbench | ||
| - name: Get asbench working directory | ||
| uses: haya14busa/action-cond@v1 | ||
| id: working-dir | ||
| with: | ||
| cond: ${{ inputs.submodule != '' }} | ||
| if_true: aerospike-tools/${{ inputs.submodule }} # In this case we are expecting to checkout the tools package. | ||
| if_false: asbench | ||
| - uses: kenchan0130/[email protected] | ||
| id: system-info | ||
| - name: Install dependencies from brew | ||
| run: | | ||
| brew install libev openssl@3 automake # libuv and libevent already installed | ||
| # this will checkout the whole tools repo when run from aerospike-tools, but we will | ||
| # just cd into the correct directory calculated from working-dir | ||
| - uses: actions/checkout@v3 | ||
| with: | ||
| path: ${{ steps.checkout-dir.outputs.value }} | ||
| fetch-depth: 0 | ||
| - name: Checkout ${{ steps.working-dir.outputs.value }} | ||
| working-directory: ${{ steps.checkout-dir.outputs.value }} | ||
| run: | | ||
| git config --global url."https://github.com/".insteadOf "[email protected]:" | ||
| git submodule update --init --recursive -- ${{ inputs.submodule || '.' }} | ||
| - name: Print version | ||
| working-directory: ${{ steps.working-dir.outputs.value }} | ||
| run: | | ||
| git describe --tags --always | ||
| - name: Build asbench | ||
| run: | | ||
| make EVENT_LIB=${{ matrix.ev-lib }} LIBUV_STATIC_PATH=${{ matrix.ev-path }}/lib LIBEVENT_STATIC_PATH=${{ matrix.ev-path }}/lib LIBEV_STATIC_PATH=${{ matrix.ev-path }}/lib OPENSSL_STATIC_PATH=${{ matrix.openssl-path }}/lib | ||
| working-directory: ${{ steps.working-dir.outputs.value }} | ||
| - name: Sanity test asbench artifact | ||
| run: | | ||
| ./asbench | grep "ERROR Failed to connect" | ||
| working-directory: ${{ steps.working-dir.outputs.value }}/target | ||
| - name: Get artifact name | ||
| uses: haya14busa/action-cond@v1 | ||
| id: artifact-name | ||
| with: | ||
| cond: ${{ matrix.ev-lib == '' }} | ||
| if_true: asbench | ||
| if_false: asbench-${{ matrix.ev-lib }} | ||
| - name: Upload artifact | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: ${{ steps.system-info.outputs.platform }}-${{ runner.arch }}-${{ matrix.os }}-${{ steps.system-info.outputs.release }}-${{ steps.artifact-name.outputs.value }} | ||
| path: ${{ steps.working-dir.outputs.value }}/target/asbench | ||
| if-no-files-found: error | ||
| bundle-binaries: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 12 days ago
To resolve the issue, add an explicit permissions: block to the workflow, ideally at the root level so it applies to all jobs unless overridden, as suggested by the CodeQL output and GitHub best practices. The minimal recommendation is contents: read, since the jobs are only checking out code, downloading information, and uploading artifacts; no steps require write access to repository contents or other privileged operations.
Edit .github/workflows/mac-artifact-jfrog.yml by inserting the following block near the top (after the name: and before or after on:):
permissions:
contents: readIf, in the future, a job or action requires greater permission (such as writing releases or pushing code), update or override the permissions at job level. For now, set the minimum required permissions for all jobs for best security.
| @@ -1,4 +1,6 @@ | ||
| name: Mac Artifact | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| push: | ||
| branches: [ main, actionsHub, "bugfix-*" ] |
| needs: build | ||
| runs-on: macos-14 | ||
| if: "${{ inputs.submodule == '' }}" | ||
|
|
||
| steps: | ||
| - uses: kenchan0130/[email protected] | ||
| id: system-info | ||
| - name: Get artifacts | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| path: target | ||
| - uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: binaries | ||
| path: target | ||
| if-no-files-found: error | ||
| upload-artifacts: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 12 days ago
To resolve the issue, add a permissions block at the root of the workflow file (.github/workflows/mac-artifact-jfrog.yml) that grants only the minimum necessary permissions for all jobs unless overridden. For workflows focused on artifact upload/download and building, ordinarily contents: read suffices for most build scenarios, unless a job or step genuinely requires write access to repository contents, issues, or pull requests.
- Insert the following block before the
jobs:line (afteron:or right after workflow inputs). - The recommended starting block is:
permissions: contents: read
- If another minimal permission is identified as required for e.g., uploading artifacts to releases, expand accordingly. For now, based on the provided jobs,
contents: readshould suffice. - No new methods or imports are required, only YAML edit.
| @@ -10,6 +10,9 @@ | ||
| description: The directory of the submodule, if this workflow is being called on a submodule | ||
| required: false | ||
| type: string | ||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| build: | ||
| strategy: |
| strategy: | ||
| matrix: | ||
| os: [macos-13, macos-14, macos-15] | ||
| needs: build | ||
| uses: aerospike/shared-workflows/.github/workflows/reusable_deploy-artifacts.yaml@8b68c4e071050d18ecccc5f3e6911a4127b455ae # vn.n.n | ||
| with: | ||
| project: database | ||
| build-name: asbench | ||
| version: ${{ github.ref_name }} | ||
| artifactory-url: https://aerospike.jfrog.io | ||
| artifactory-oidc-provider-name: database-gh-aerospike | ||
| artifactory-oidc-audience: database-gh-aerospike | ||
| artifact-name: binaries | ||
| retention-days: 1 | ||
| dry-run: false No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 12 days ago
To fix the issue, add a permissions block to the workflow file, at the root level. This will ensure that all jobs default to the least privilege required. Typically, uploading and downloading artifacts requires only contents: read. Since there are no jobs in the workflow that require write access to repository contents, issues, or pull requests (according to the provided steps), contents: read should be sufficient. If future jobs require other permissions, these can be added at the job level. The change is made by inserting the following block directly after the workflow name: line and before on::
permissions:
contents: readNo imports or extra definitions are needed. This addresses the required principle of least privilege for GITHUB_TOKEN.
| @@ -1,4 +1,6 @@ | ||
| name: Mac Artifact | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| push: | ||
| branches: [ main, actionsHub, "bugfix-*" ] |
…d add source output
…st tagged some time ago
…189 for build info integration
- Added VERSION environment variable handling in build_package.sh to ensure version is set before building packages. - Updated entrypoint.sh to accept VERSION as a command-line argument, allowing for more flexible builds. - Modified Makefile to allow VERSION to be set externally, accommodating containerized environments where tag history may not be available.
- Updated entrypoint.sh to export VERSION from command-line arguments, improving flexibility in build processes. - Modified build-artifacts.yml to pass the VERSION variable during Docker container execution, ensuring consistent versioning across builds.
1 participant
No description provided.