Merge branch 'master' into upd-transfer-size-cluster

Author: chuckp22

.github/CODEOWNERS

@@ -0,0 +1,7 @@
+# Backup-Utils owned by lifecycle AOR
+* @github/ghes-lifecycle
+# Actions related backups and restores
+# /share/github-backup-utils/*-actions @github/ghes-lifecycle @github/<TBD>
+# Git related backups and restores
+# /share/github-backup-utils/*-repositories @github/ghes-lifecycle @github/<TBD>
+# /share/github-backup-utils/*-git-hooks @github/ghes-lifecycle @github/<TBD>

.github/workflows/lint.yml

@@ -15,7 +15,8 @@ jobs:
           # Full git history is needed to get a proper list of changed files within `super-linter`
           fetch-depth: 0
       - name: Lint Code Base
-        uses: github/super-linter@v5
+        uses: super-linter/super-linter@v5
         env:
           VALIDATE_ALL_CODEBASE: false
+          BASH_SEVERITY: error
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/main.yml

@@ -1,6 +1,6 @@
 name: Test and build
 
-on: [pull_request]
+on: [pull_request, workflow_dispatch]
 
 jobs:
   build:

docs/requirements.md

@@ -5,7 +5,7 @@ storage and must have network connectivity with the GitHub Enterprise Server app
 
 ## Backup host requirements
 
-Backup host software requirements are modest: Linux or other modern Unix operating system (Ubuntu is highly recommended) with [bash][1], [git][2], [OpenSSH][3] 5.6 or newer, [rsync][4] v2.6.4 or newer* (see [below](april-2023-update-of-rsync-requirements) for exceptions), [jq][11] v1.5 or newer, and [bc][12] v1.07 or newer.
+Backup host software requirements are modest: Linux or other modern Unix operating system (Ubuntu is highly recommended) with [bash][1], [git][2], [OpenSSH][3] 5.6 or newer, [rsync][4] v2.6.4 or newer* (see [below](#april-2023-update-of-rsync-requirements) for exceptions), [jq][11] v1.5 or newer, and [bc][12] v1.07 or newer.
 
 The parallel backup and restore feature will require [GNU awk][10] and [moreutils][9] to be installed.
 

ownership.yaml

@@ -0,0 +1,29 @@
+---
+version: 1
+ownership:
+- name: ghes-backup-utilities
+  long_name: GHES Backup Utilities
+  description: GitHub Enterprise Disaster Recover Solution
+  kind: logical
+  repo: https://github.com/github/backup-utils-private
+  qos: best_effort
+  team_slack: ghes-lifecycle-aor
+  team: github/ghes-lifecycle
+  maintainer: whitneyimura
+  exec_sponsor: jakuboleksy
+  tier: 3
+  product_manager: davidjarzebowski
+  sev1:
+    slack: ghes-on-call
+    alert_slack: ghes-backup-utils
+    pagerduty: https://github.pagerduty.com/escalation_policies#PBQWK20
+    tta: 30 minutes
+  sev2:
+    issue: https://github.com/github/ghes/issues/new
+    tta: 1 business day
+  sev3:
+    issue: https://github.com/github/ghes/issues
+    tta: 1 week
+  support_squad:
+    slack: support-squad-infrastructure
+    issue: https://github.com/github/support-squad-infrastructure/issues

share/github-backup-utils/ghe-backup-mssql

@@ -62,7 +62,7 @@ fi
 
 if ! export_tool_available ; then
   log_error "ghe-export-mssql is not available" 1>&2
-  exit
+  exit 1
 fi
 
 add_minute() {

share/github-backup-utils/ghe-backup-settings

@@ -86,10 +86,13 @@ if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.7.0)" ]; then
   cat "$GHE_SNAPSHOT_DIR/encrypted-column-encryption-keying-material" | sed 's:.*;::' > "$GHE_SNAPSHOT_DIR/encrypted-column-current-encryption-key"
 fi
 
-backup-secret "secret scanning encrypted secrets current storage key" "secret-scanning-encrypted-secrets-current-storage-key" "secrets.secret-scanning.encrypted-secrets-current-storage-key"
-backup-secret "secret scanning encrypted secrets delimited storage keys" "secret-scanning-encrypted-secrets-delimited-storage-keys" "secrets.secret-scanning.encrypted-secrets-delimited-storage-keys"
-backup-secret "secret scanning encrypted secrets current shared transit key" "secret-scanning-encrypted-secrets-current-shared-transit-key" "secrets.secret-scanning.encrypted-secrets-current-shared-transit-key"
-backup-secret "secret scanning encrypted secrets delimited shared transit keys" "secret-scanning-encrypted-secrets-delimited-shared-transit-keys" "secrets.secret-scanning.encrypted-secrets-delimited-shared-transit-keys"
+# secret scanning encrypted secrets keys were added in GHES 3.8.0
+if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" ]; then
+    backup-secret "secret scanning encrypted secrets current storage key" "secret-scanning-encrypted-secrets-current-storage-key" "secrets.secret-scanning.encrypted-secrets-current-storage-key"
+    backup-secret "secret scanning encrypted secrets delimited storage keys" "secret-scanning-encrypted-secrets-delimited-storage-keys" "secrets.secret-scanning.encrypted-secrets-delimited-storage-keys"
+    backup-secret "secret scanning encrypted secrets current shared transit key" "secret-scanning-encrypted-secrets-current-shared-transit-key" "secrets.secret-scanning.encrypted-secrets-current-shared-transit-key"
+    backup-secret "secret scanning encrypted secrets delimited shared transit keys" "secret-scanning-encrypted-secrets-delimited-shared-transit-keys" "secrets.secret-scanning.encrypted-secrets-delimited-shared-transit-keys"
+fi
 
 # Backup argon secrets for multiuser from ghes version 3.8 onwards
 if [[ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" && "$(version $GHE_REMOTE_VERSION)" -lt "$(version 3.8.2)" ]]; then

share/github-backup-utils/ghe-restore-mssql

@@ -57,7 +57,7 @@ fi
 
 if ! import_tool_available; then
   ghe_verbose "ghe-import-mssql is not available"
-  exit
+  exit 1
 fi
 
 # Perform a host-check and establish the remote version in GHE_REMOTE_VERSION.

test/test-ghe-backup.sh

@@ -772,7 +772,7 @@ begin_test "ghe-backup takes backup of encrypted column encryption keying materi
 )
 end_test
 
-begin_test "ghe-backup takes backup of secret scanning encrypted secrets encryption keys"
+begin_test "ghe-backup does not take backups of secret scanning encrypted secrets encryption keys on versions below 3.8.0"
 (
   set -e
 
@@ -787,7 +787,37 @@ begin_test "ghe-backup takes backup of secret scanning encrypted secrets encrypt
     ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
   done
 
-  ghe-backup
+  GHE_REMOTE_VERSION=3.7.0 ghe-backup -v | grep -q "secret scanning encrypted secrets" && exit 1
+
+  required_files=(
+    "secret-scanning-encrypted-secrets-current-storage-key"
+    "secret-scanning-encrypted-secrets-delimited-storage-keys"
+    "secret-scanning-encrypted-secrets-current-shared-transit-key"
+    "secret-scanning-encrypted-secrets-delimited-shared-transit-keys"
+  )
+
+  for file in "${required_files[@]}"; do
+    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "" ]
+  done
+)
+end_test
+
+begin_test "ghe-backup takes backup of secret scanning encrypted secrets encryption keys on versions 3.8.0+"
+(
+  set -e
+
+  required_secrets=(
+    "secrets.secret-scanning.encrypted-secrets-current-storage-key"
+    "secrets.secret-scanning.encrypted-secrets-delimited-storage-keys"
+    "secrets.secret-scanning.encrypted-secrets-current-shared-transit-key"
+    "secrets.secret-scanning.encrypted-secrets-delimited-shared-transit-keys"
+  )
+
+  for secret in "${required_secrets[@]}"; do
+    ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
+  done
+
+  GHE_REMOTE_VERSION=3.8.0 ghe-backup
 
   required_files=(
     "secret-scanning-encrypted-secrets-current-storage-key"