Merge pull request CactuseSecurity#3610 from CactuseSecurity/develop

merge develop --> main - 3 fixes

Author: tpurschke

.github/workflows/auto-sync-develop-to-importer-rework.yml.yml

@@ -2,66 +2,74 @@ name: Sync develop to importer-rework
 
 on:
   push:
-    branches:
-      - develop
+    branches: [develop]
+
+permissions:
+  contents: write
+  pull-requests: write
 
 jobs:
   sync-branches:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout repo
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
       - name: Set up Git
         run: |
           git config --global user.name "github-actions[bot]"
           git config --global user.email "github-actions[bot]@users.noreply.github.com"
 
-      - name: Ensure "automation" label exists (create or update)
+      - name: Ensure "automation" label exists
         run: |
-            gh label create automation \
+          gh label create automation \
             --color "0e8a16" \
             --description "Automatically created for syncing branches" \
             --force
         env:
-            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Fetch all branches
-        run: git fetch origin importer-rework
+      - name: Compute ahead/behind
+        id: ab
+        run: |
+          git fetch origin develop importer-rework
+          read behind ahead < <(git rev-list --left-right --count origin/importer-rework...origin/develop)
+          echo "ahead=$ahead"  >> $GITHUB_OUTPUT
+          echo "behind=$behind" >> $GITHUB_OUTPUT
+        # rev-list separates counts with a TAB. :contentReference[oaicite:2]{index=2}
 
-      - name: Check if develop is ahead of importer-rework
-        id: ahead_check
+      - name: Push sync branch (mirror develop)
+        if: steps.ab.outputs.ahead != '0'
         run: |
-          git fetch origin
-          git rev-list --left-right --count origin/importer-rework...origin/develop > counts.txt
-          ahead=$(cut -f2 counts.txt)
-          echo "ahead_count=$ahead" >> $GITHUB_OUTPUT
+          BR=bot/sync-develop-into-importer-rework
+          git checkout -B "$BR" origin/develop
+          git push -f origin "HEAD:$BR"
 
-      - name: Check for existing PR
+      - name: Check for existing PR (sync branch → importer-rework)
         id: pr_check
+        if: steps.ab.outputs.ahead != '0'
         run: |
           existing_pr=$(gh pr list \
             --base importer-rework \
-            --head develop \
+            --head bot/sync-develop-into-importer-rework \
             --state open \
             --json number \
-            --jq '.[0].number')
-
+            --jq '.[0].number // empty')
           echo "existing_pr=$existing_pr" >> $GITHUB_OUTPUT
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Create PR from develop to importer-rework
-        if: steps.ahead_check.outputs.ahead_count != '0' && steps.pr_check.outputs.existing_pr == ''
+      - name: Create PR from sync branch to importer-rework
+        if: steps.ab.outputs.ahead != '0' && steps.pr_check.outputs.existing_pr == ''
         run: |
           gh pr create \
             --base importer-rework \
-            --head develop \
+            --head bot/sync-develop-into-importer-rework \
             --title "Sync develop → importer-rework" \
-            --body "This PR was auto-created to sync changes from \`develop\` into \`importer-rework\`." \
-            --label automation \
-            --repo ${{ github.repository }}
+            --body "Auto-sync from \`develop\` via sync branch." \
+            --label automation
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

inventory/group_vars/all.yml

@@ -68,7 +68,6 @@ fworch_db_port: 5432
 fworch_db_name: fworchdb
 fworch_dbadmin_name: dbadmin
 dbadmin_password_file: "{{ fworch_secrets_dir }}/dbadmin_pwd"
-fwo_db_ro_user_password_file: "{{ fworch_secrets_dir }}/fwo_db_ro_pwd"
 fworch_db_password_file: "{{ fworch_secrets_dir }}/fworch_db_pwd"
 
 ###############################################################

roles/database/files/upgrade/8.8.8.sql

@@ -1,3 +1,12 @@
+DO $$ 
+BEGIN
+    IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'fwo_ro') THEN
+        CREATE ROLE fwo_ro WITH LOGIN NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE;
+    END IF;
+END
+$$;
+
+
 GRANT CONNECT ON DATABASE fworchdb TO fwo_ro;
 
 GRANT USAGE ON SCHEMA compliance TO fwo_ro;

roles/database/tasks/create-ro-pwd-file.yml

@@ -1,15 +1,10 @@
 # add db ro user and assign privileges
 
-- name: create ro db user {{ fwo_db_ro_user }} pwd file
-  import_tasks: create-ro-pwd-file.yml
-  when: installation_mode == "new"
-
 - block:
 
   - name: create {{ fwo_db_ro_user }}
     postgresql_user:
       name: "{{ fwo_db_ro_user }}"
-      password: "{{ fwo_db_ro_pwd }}"
       role_attr_flags: LOGIN,NOSUPERUSER,INHERIT,NOCREATEDB,NOCREATEROLE
 
   - name: GRANT ro user

roles/database/tasks/create-ro-user.yml

@@ -34,36 +34,6 @@
         - "current_version: {{ current_version }}"
         - "all_upgrades_available: {{ all_upgrades_available }}"
 
-- block:
-    - name: create ro db user {{ fwo_db_ro_user }} pwd file
-      import_tasks: create-ro-pwd-file.yml
-
-    - name: Read fwo_db_ro user password from file
-      slurp:
-          src: "{{ fwo_db_ro_user_password_file }}"
-      register: fwo_db_ro_pwd_base64
-      become: true
-      become_user: "{{ fworch_user }}"
-
-    - name: decode fwo db ro pwd
-      set_fact:
-        fwo_db_ro_pwd: "{{ fwo_db_ro_pwd_base64['content'] | b64decode | trim }}"
-
-    - name: Create read-only role safely
-      shell: |
-        psql -d "{{ fworch_db_name }}" -c "
-        DO \$\$ 
-        BEGIN
-            IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = '{{ fwo_db_ro_user }}') THEN
-                CREATE ROLE {{ fwo_db_ro_user }} WITH LOGIN NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE PASSWORD '{{ fwo_db_ro_pwd }}';
-            END IF;
-        END
-        \$\$;"
-      become: true
-      become_user: postgres
-
-  when: installed_version is version('8.8.8', '<=') and current_version is version ('8.8.8', '>=')
-
 - name: Copy relevant upgrade files
   copy:
     src: "upgrade/{{ item }}.sql"
@@ -79,5 +49,3 @@
   become: true
   ignore_errors: false
   become_user: postgres
-  environment:
-    fwo_db_ro_user_pwd: "{{ fwo_db_ro_pwd }}"

roles/database/tasks/upgrade-database.yml

@@ -83,18 +83,56 @@
 
   become: true
   environment: "{{ proxy_env }}"
-
+  
 # get google chrome for pdf generation
-- name: get last known good versions of chrome to download
-  uri:
-    url: https://googlechromelabs.github.io/chrome-for-testing/last-known-good-versions-with-downloads.json
-  register: chrome_versions
-  become: false
+- block:
+    - name: get last known good versions (primary)
+      uri:
+        url: https://googlechromelabs.github.io/chrome-for-testing/last-known-good-versions-with-downloads.json
+        return_content: true
+      register: chrome_versions
+      become: false
+
+  rescue:
+    - name: fallback - get last known good versions (raw.githubusercontent.com)
+      uri:
+        url: https://raw.githubusercontent.com/GoogleChromeLabs/chrome-for-testing/main/data/last-known-good-versions-with-downloads.json
+        return_content: true
+        headers:
+          Accept: application/json
+      register: chrome_versions
+      become: false
+
+# Parse once, regardless of Content-Type
+- name: normalize/parse JSON response
+  set_fact:
+    chrome_versions_parsed: >-
+      {{
+        chrome_versions.json
+        if (chrome_versions.json is defined)
+        else (chrome_versions.content | trim | from_json)
+      }}
+
+# Pick the Stable channel (some users accidentally use 'stable', so be flexible)
+- name: select Stable channel
+  set_fact:
+    cft_stable: "{{ chrome_versions_parsed.channels.Stable | default(chrome_versions_parsed.channels.stable) }}"
 
+# Extract downloads + version from Stable
 - name: parse latest stable versions for chrome #and headless shell
   set_fact:
-    stable_chrome_versions: "{{ chrome_versions['json']['channels']['Stable']['downloads'] }}"
-    chrome_dest: "/usr/local/fworch/bin/Chrome/Linux-{{ chrome_versions['json']['channels']['Stable']['version'] }}"
+    stable_chrome_versions: "{{ cft_stable.downloads }}"
+    chrome_dest: "/usr/local/fworch/bin/Chrome/Linux-{{ cft_stable.version }}"
+
+# (Optional) sanity checks to fail early with a clear message
+- name: validate parsed data
+  assert:
+    that:
+      - chrome_versions_parsed is mapping
+      - cft_stable is mapping
+      - cft_stable.version is defined
+      - cft_stable.downloads is defined
+    fail_msg: "Failed to parse Chrome for Testing JSON or locate the Stable channel."
 
 - block:
   - name: install unzip