feat: INFRA-162 asbench add rpm deb packages #114
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| needs: build | ||
| runs-on: macos-14 | ||
| if: "${{ inputs.submodule == '' }}" | ||
|
|
||
| steps: | ||
| - uses: kenchan0130/[email protected] | ||
| id: system-info | ||
| - name: Get artifacts | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| path: target | ||
| - uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: binaries | ||
| path: target | ||
| if-no-files-found: error | ||
| upload-artifacts: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To resolve the issue, add a permissions block at the root of the workflow file (.github/workflows/mac-artifact-jfrog.yml) that grants only the minimum necessary permissions for all jobs unless overridden. For workflows focused on artifact upload/download and building, ordinarily contents: read suffices for most build scenarios, unless a job or step genuinely requires write access to repository contents, issues, or pull requests.
- Insert the following block before the
jobs:line (afteron:or right after workflow inputs). - The recommended starting block is:
permissions: contents: read
- If another minimal permission is identified as required for e.g., uploading artifacts to releases, expand accordingly. For now, based on the provided jobs,
contents: readshould suffice. - No new methods or imports are required, only YAML edit.
| @@ -10,6 +10,9 @@ | ||
| description: The directory of the submodule, if this workflow is being called on a submodule | ||
| required: false | ||
| type: string | ||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| build: | ||
| strategy: |
| strategy: | ||
| matrix: | ||
| os: [macos-13, macos-14, macos-15] | ||
| needs: build | ||
| uses: aerospike/shared-workflows/.github/workflows/reusable_deploy-artifacts.yaml@8b68c4e071050d18ecccc5f3e6911a4127b455ae # vn.n.n | ||
| with: | ||
| project: database | ||
| build-name: asbench | ||
| version: ${{ github.ref_name }} | ||
| artifactory-url: https://aerospike.jfrog.io | ||
| artifactory-oidc-provider-name: database-gh-aerospike | ||
| artifactory-oidc-audience: database-gh-aerospike | ||
| artifact-name: binaries | ||
| retention-days: 1 | ||
| dry-run: false No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix the issue, add a permissions block to the workflow file, at the root level. This will ensure that all jobs default to the least privilege required. Typically, uploading and downloading artifacts requires only contents: read. Since there are no jobs in the workflow that require write access to repository contents, issues, or pull requests (according to the provided steps), contents: read should be sufficient. If future jobs require other permissions, these can be added at the job level. The change is made by inserting the following block directly after the workflow name: line and before on::
permissions:
contents: readNo imports or extra definitions are needed. This addresses the required principle of least privilege for GITHUB_TOKEN.
| @@ -1,4 +1,6 @@ | ||
| name: Mac Artifact | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| push: | ||
| branches: [ main, actionsHub, "bugfix-*" ] |
…d add source output
…st tagged some time ago
…189 for build info integration
- Added VERSION environment variable handling in build_package.sh to ensure version is set before building packages. - Updated entrypoint.sh to accept VERSION as a command-line argument, allowing for more flexible builds. - Modified Makefile to allow VERSION to be set externally, accommodating containerized environments where tag history may not be available.
- Updated entrypoint.sh to export VERSION from command-line arguments, improving flexibility in build processes. - Modified build-artifacts.yml to pass the VERSION variable during Docker container execution, ensuring consistent versioning across builds.
…62-asbench-add-rpm-deb-packages
No description provided.