Merge branch 'master' into brandonemlaw-secret-scanning-backup-content-encryption-keys-simple

gamefiend · web-flow · commit f015ae37fcf6 · 2023-08-25T14:50:25.000-04:00
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,7 @@
+# Backup-Utils owned by lifecycle AOR
+* @github/ghes-lifecycle
+# Actions related backups and restores
+# /share/github-backup-utils/*-actions @github/ghes-lifecycle @github/<TBD>
+# Git related backups and restores
+# /share/github-backup-utils/*-repositories @github/ghes-lifecycle @github/<TBD>
+# /share/github-backup-utils/*-git-hooks @github/ghes-lifecycle @github/<TBD>
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -15,7 +15,8 @@ jobs:
           # Full git history is needed to get a proper list of changed files within `super-linter`
           fetch-depth: 0
       - name: Lint Code Base
-        uses: github/super-linter@v5
+        uses: super-linter/super-linter@v5
         env:
           VALIDATE_ALL_CODEBASE: false
+          BASH_SEVERITY: error
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -1,6 +1,6 @@
 name: Test and build
 
-on: [pull_request]
+on: [pull_request, workflow_dispatch]
 
 jobs:
   build:
diff --git a/ownership.yaml b/ownership.yaml
@@ -0,0 +1,29 @@
+---
+version: 1
+ownership:
+- name: ghes-backup-utilities
+  long_name: GHES Backup Utilities
+  description: GitHub Enterprise Disaster Recover Solution
+  kind: logical
+  repo: https://github.com/github/backup-utils-private
+  qos: best_effort
+  team_slack: ghes-lifecycle-aor
+  team: github/ghes-lifecycle
+  maintainer: whitneyimura
+  exec_sponsor: jakuboleksy
+  tier: 3
+  product_manager: davidjarzebowski
+  sev1:
+    slack: ghes-on-call
+    alert_slack: ghes-backup-utils
+    pagerduty: https://github.pagerduty.com/escalation_policies#PBQWK20
+    tta: 30 minutes
+  sev2:
+    issue: https://github.com/github/ghes/issues/new
+    tta: 1 business day
+  sev3:
+    issue: https://github.com/github/ghes/issues
+    tta: 1 week
+  support_squad:
+    slack: support-squad-infrastructure
+    issue: https://github.com/github/support-squad-infrastructure/issues
diff --git a/share/github-backup-utils/ghe-backup-mssql b/share/github-backup-utils/ghe-backup-mssql
@@ -62,7 +62,7 @@ fi
 
 if ! export_tool_available ; then
   log_error "ghe-export-mssql is not available" 1>&2
-  exit
+  exit 1
 fi
 
 add_minute() {
diff --git a/share/github-backup-utils/ghe-backup-settings b/share/github-backup-utils/ghe-backup-settings
@@ -86,10 +86,13 @@ if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.7.0)" ]; then
   cat "$GHE_SNAPSHOT_DIR/encrypted-column-encryption-keying-material" | sed 's:.*;::' > "$GHE_SNAPSHOT_DIR/encrypted-column-current-encryption-key"
 fi
 
-backup-secret "secret scanning encrypted secrets current storage key" "secret-scanning-encrypted-secrets-current-storage-key" "secrets.secret-scanning.encrypted-secrets-current-storage-key"
-backup-secret "secret scanning encrypted secrets delimited storage keys" "secret-scanning-encrypted-secrets-delimited-storage-keys" "secrets.secret-scanning.encrypted-secrets-delimited-storage-keys"
-backup-secret "secret scanning encrypted secrets current shared transit key" "secret-scanning-encrypted-secrets-current-shared-transit-key" "secrets.secret-scanning.encrypted-secrets-current-shared-transit-key"
-backup-secret "secret scanning encrypted secrets delimited shared transit keys" "secret-scanning-encrypted-secrets-delimited-shared-transit-keys" "secrets.secret-scanning.encrypted-secrets-delimited-shared-transit-keys"
+# secret scanning encrypted secrets keys were added in GHES 3.8.0
+if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" ]; then
+    backup-secret "secret scanning encrypted secrets current storage key" "secret-scanning-encrypted-secrets-current-storage-key" "secrets.secret-scanning.encrypted-secrets-current-storage-key"
+    backup-secret "secret scanning encrypted secrets delimited storage keys" "secret-scanning-encrypted-secrets-delimited-storage-keys" "secrets.secret-scanning.encrypted-secrets-delimited-storage-keys"
+    backup-secret "secret scanning encrypted secrets current shared transit key" "secret-scanning-encrypted-secrets-current-shared-transit-key" "secrets.secret-scanning.encrypted-secrets-current-shared-transit-key"
+    backup-secret "secret scanning encrypted secrets delimited shared transit keys" "secret-scanning-encrypted-secrets-delimited-shared-transit-keys" "secrets.secret-scanning.encrypted-secrets-delimited-shared-transit-keys"
+fi
 
 if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.11.0)" ]; then
   backup-secret "secret scanning encrypted content keys" "secret-scanning-user-content-delimited-encryption-root-keys" "secrets.secret-scanning.secret-scanning-user-content-delimited-encryption-root-keys"
diff --git a/share/github-backup-utils/ghe-restore-mssql b/share/github-backup-utils/ghe-restore-mssql
@@ -57,7 +57,7 @@ fi
 
 if ! import_tool_available; then
   ghe_verbose "ghe-import-mssql is not available"
-  exit
+  exit 1
 fi
 
 # Perform a host-check and establish the remote version in GHE_REMOTE_VERSION.
diff --git a/test/test-ghe-backup.sh b/test/test-ghe-backup.sh
@@ -772,7 +772,7 @@ begin_test "ghe-backup takes backup of encrypted column encryption keying materi
 )
 end_test
 
-begin_test "ghe-backup takes backup of secret scanning encrypted secrets encryption keys"
+begin_test "ghe-backup does not take backups of secret scanning encrypted secrets encryption keys on versions below 3.8.0"
 (
   set -e
 
@@ -787,7 +787,37 @@ begin_test "ghe-backup takes backup of secret scanning encrypted secrets encrypt
     ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
   done
 
-  ghe-backup
+  GHE_REMOTE_VERSION=3.7.0 ghe-backup -v | grep -q "secret scanning encrypted secrets" && exit 1
+
+  required_files=(
+    "secret-scanning-encrypted-secrets-current-storage-key"
+    "secret-scanning-encrypted-secrets-delimited-storage-keys"
+    "secret-scanning-encrypted-secrets-current-shared-transit-key"
+    "secret-scanning-encrypted-secrets-delimited-shared-transit-keys"
+  )
+
+  for file in "${required_files[@]}"; do
+    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "" ]
+  done
+)
+end_test
+
+begin_test "ghe-backup takes backup of secret scanning encrypted secrets encryption keys on versions 3.8.0+"
+(
+  set -e
+
+  required_secrets=(
+    "secrets.secret-scanning.encrypted-secrets-current-storage-key"
+    "secrets.secret-scanning.encrypted-secrets-delimited-storage-keys"
+    "secrets.secret-scanning.encrypted-secrets-current-shared-transit-key"
+    "secrets.secret-scanning.encrypted-secrets-delimited-shared-transit-keys"
+  )
+
+  for secret in "${required_secrets[@]}"; do
+    ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
+  done
+
+  GHE_REMOTE_VERSION=3.8.0 ghe-backup
 
   required_files=(
     "secret-scanning-encrypted-secrets-current-storage-key"
