From a96c607a9c1b17dd52cc062f545df9a19f8adc68 Mon Sep 17 00:00:00 2001 From: Nikola Irinchev Date: Wed, 22 Jan 2025 20:03:18 +0100 Subject: [PATCH 1/4] chore(ci): update codeql workflows --- .github/workflows/codeql.yml | 68 ++++++++++++------------------------ 1 file changed, 22 insertions(+), 46 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d5e173d9bf5..60e94926913 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,23 +1,15 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" +name: CodeQL on: push: - branches: ["main", "*-releases"] - tags: ["v*"] + branches: + - main + - "*-releases" + tags: + - v* pull_request: - # The branches below must be a subset of the branches above - branches: ["main"] + branches: + - main schedule: - cron: "30 14 * * 4" workflow_dispatch: @@ -26,8 +18,8 @@ on: jobs: analyze: name: Analyze - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + runs-on: ubuntu-latest + timeout-minutes: 360 permissions: actions: read contents: read @@ -36,26 +28,25 @@ jobs: strategy: fail-fast: false matrix: - language: ["go", "javascript", "python"] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] - # Use only 'java' to analyze code written in Java, Kotlin or both - # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + include: + - language: go + build-mode: autobuild + - language: javascript + build-mode: none + - language: python + build-mode: none + - language: actions + build-mode: none steps: - name: Checkout repository uses: actions/checkout@v4 - # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + build-mode: ${{ matrix.build-mode }} queries: security-extended config: | paths-ignore: @@ -67,22 +58,7 @@ jobs: - '**/*.spec.tsx' - 'scripts/**' - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 with: category: "/language:${{matrix.language}}" From f4016a78c96b782afc26e87a3bbd8ea212eae795 Mon Sep 17 00:00:00 2001 From: Nikola Irinchev Date: Mon, 27 Jan 2025 13:46:53 +0100 Subject: [PATCH 2/4] address alerts flagged by codeql --- .../authors-and-third-party-notices.yaml | 3 +++ .github/workflows/bump-packages.yaml | 4 ++++ .github/workflows/check-pr-title.yml | 15 ++++++++------ .github/workflows/merge-bump-packages-pr.yaml | 3 +++ .github/workflows/publish-compass.yaml | 3 +++ .github/workflows/publish-packages.yaml | 3 +++ .github/workflows/release-notes-cleanup.yaml | 3 +++ .github/workflows/release-notes-labels.yaml | 20 +++++++++++++------ .github/workflows/start-beta.yml | 5 ++++- .github/workflows/start-ga.yaml | 3 +++ .github/workflows/update-electron.yaml | 14 ++++++++----- 11 files changed, 58 insertions(+), 18 deletions(-) diff --git a/.github/workflows/authors-and-third-party-notices.yaml b/.github/workflows/authors-and-third-party-notices.yaml index 1f2e1371967..fe4426b0d91 100644 --- a/.github/workflows/authors-and-third-party-notices.yaml +++ b/.github/workflows/authors-and-third-party-notices.yaml @@ -8,6 +8,9 @@ on: branches: - main +permissions: + contents: none # We use the github app token to push the changes + jobs: update_generated_files: name: Update automatically generated files diff --git a/.github/workflows/bump-packages.yaml b/.github/workflows/bump-packages.yaml index a98adf2ef7b..61e1e101616 100644 --- a/.github/workflows/bump-packages.yaml +++ b/.github/workflows/bump-packages.yaml @@ -5,6 +5,9 @@ on: branches: - main +permissions: + contents: none # We use the github app token to open the PR + jobs: update_generated_files: name: Bump packages @@ -21,6 +24,7 @@ jobs: with: # don't checkout a detatched HEAD ref: ${{ github.head_ref }} + token: ${{ steps.app-token.outputs.token }} - uses: actions/setup-node@v4 with: diff --git a/.github/workflows/check-pr-title.yml b/.github/workflows/check-pr-title.yml index 28a8d5e72e6..591c4b5d820 100644 --- a/.github/workflows/check-pr-title.yml +++ b/.github/workflows/check-pr-title.yml @@ -3,22 +3,25 @@ on: pull_request: types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled, converted_to_draft, edited] +permissions: + pull-requests: read # to read the PR title and labels + jobs: check-pr-title: name: Check PR Title runs-on: ubuntu-latest steps: - name: Enforce conventional commit style - uses: realm/ci-actions/title-checker@main + uses: realm/ci-actions/title-checker@d6cc8f067474759d38e6d24e272027b4c88bc0a9 with: regex: '^(build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test|ops){1}(\([\w\-\.]+\))?(!)?: .*' error-hint: 'Invalid PR title. Make sure it follows the conventional commit specification (i.e. "(): ") or add the no-title-validation label' - ignore-labels: 'no-title-validation' + ignore-labels: "no-title-validation" - name: Enforce JIRA ticket in title - uses: realm/ci-actions/title-checker@main + uses: realm/ci-actions/title-checker@d6cc8f067474759d38e6d24e272027b4c88bc0a9 # Skip the JIRA ticket check for PRs opened by bots if: ${{ !contains(github.event.pull_request.user.login, '[bot]') }} with: - regex: '[A-Z]{4,10}-[0-9]{1,10}$' - error-hint: 'Invalid PR title. Make sure it ends with a JIRA ticket - i.e. COMPASS-1234 or add the no-title-validation label' - ignore-labels: 'no-title-validation' + regex: "[A-Z]{4,10}-[0-9]{1,10}$" + error-hint: "Invalid PR title. Make sure it ends with a JIRA ticket - i.e. COMPASS-1234 or add the no-title-validation label" + ignore-labels: "no-title-validation" diff --git a/.github/workflows/merge-bump-packages-pr.yaml b/.github/workflows/merge-bump-packages-pr.yaml index bf14b6db1df..c47ccb594aa 100644 --- a/.github/workflows/merge-bump-packages-pr.yaml +++ b/.github/workflows/merge-bump-packages-pr.yaml @@ -5,6 +5,9 @@ on: # Each Tuesday at 5 AM UTC - cron: "0 5 * * 2" +permissions: + contents: none # We use the github app token to merge the PR + jobs: merge_bump_packages_pr: name: Merge bump packages PR diff --git a/.github/workflows/publish-compass.yaml b/.github/workflows/publish-compass.yaml index 3ffb517bd01..13472f4504e 100644 --- a/.github/workflows/publish-compass.yaml +++ b/.github/workflows/publish-compass.yaml @@ -11,6 +11,9 @@ on: release: types: [published] +permissions: + contents: write # needed to publish the release + jobs: publish: name: Publish updated manifest to download center diff --git a/.github/workflows/publish-packages.yaml b/.github/workflows/publish-packages.yaml index 340def93c2c..f517772b1c3 100644 --- a/.github/workflows/publish-packages.yaml +++ b/.github/workflows/publish-packages.yaml @@ -9,6 +9,9 @@ on: branches: - main +permissions: + contents: write # to push tags + jobs: publish: if: | diff --git a/.github/workflows/release-notes-cleanup.yaml b/.github/workflows/release-notes-cleanup.yaml index 257cda118d1..1eeb14336cb 100644 --- a/.github/workflows/release-notes-cleanup.yaml +++ b/.github/workflows/release-notes-cleanup.yaml @@ -12,6 +12,9 @@ on: release: types: [published, edited] +permissions: + contents: write # to update the release notes + jobs: cleanup_notes: name: Cleanup Notes diff --git a/.github/workflows/release-notes-labels.yaml b/.github/workflows/release-notes-labels.yaml index b675e555d4e..0cd78cca6e6 100644 --- a/.github/workflows/release-notes-labels.yaml +++ b/.github/workflows/release-notes-labels.yaml @@ -10,6 +10,10 @@ name: Release Notes - Labels on: pull_request: types: [opened, edited, labeled, unlabeled, synchronize] + +permissions: + pull-requests: write # to add and remove labels + jobs: label: runs-on: ubuntu-latest @@ -20,41 +24,45 @@ jobs: if: | startsWith(github.event.pull_request.title, 'fix:') || startsWith(github.event.pull_request.title, 'fix(') - uses: actions-ecosystem/action-remove-labels@v1 + uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # 1.3.0 with: labels: feat + github_token: ${{ secrets.GITHUB_TOKEN }} - name: remove label not matching title - feat if: | startsWith(github.event.pull_request.title, 'feat:') || startsWith(github.event.pull_request.title, 'feat(') - uses: actions-ecosystem/action-remove-labels@v1 + uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # 1.3.0 with: labels: fix + github_token: ${{ secrets.GITHUB_TOKEN }} - name: add label based on title - fix if: | startsWith(github.event.pull_request.title, 'fix:') || startsWith(github.event.pull_request.title, 'fix(') - uses: actions-ecosystem/action-add-labels@v1 + uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 # 1.1.0 with: labels: fix + github_token: ${{ secrets.GITHUB_TOKEN }} - name: add label based on title - feat if: | startsWith(github.event.pull_request.title, 'feat:') || startsWith(github.event.pull_request.title, 'feat(') - uses: actions-ecosystem/action-add-labels@v1 + uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 # 1.1.0 with: labels: feat + github_token: ${{ secrets.GITHUB_TOKEN }} - - uses: mheap/github-action-required-labels@v1 + - uses: mheap/github-action-required-labels@388fd6af37b34cdfe5a23b37060e763217e58b03 # 5.5.0 with: mode: maximum count: 0 labels: "wip, work in progress, work-in-progress" - - uses: mheap/github-action-required-labels@v1 + - uses: mheap/github-action-required-labels@388fd6af37b34cdfe5a23b37060e763217e58b03 # 5.5.0 if: | startsWith(github.event.pull_request.title, 'fix:') || startsWith(github.event.pull_request.title, 'fix(') || diff --git a/.github/workflows/start-beta.yml b/.github/workflows/start-beta.yml index 5a320a97d97..9de6e54f950 100644 --- a/.github/workflows/start-beta.yml +++ b/.github/workflows/start-beta.yml @@ -14,6 +14,9 @@ on: # Each Monday at 5 AM UTC - cron: "0 5 * * 1" +permissions: + contents: write # To create the new branch and push it + jobs: startRelease: name: Start new Beta release @@ -43,7 +46,7 @@ jobs: - name: Start Release env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | node scripts/release.js beta \ --merge-branch="${{ github.event.inputs.mergeBranch || 'main' }}" \ diff --git a/.github/workflows/start-ga.yaml b/.github/workflows/start-ga.yaml index 11e4f0a0c31..f48e59f37b9 100644 --- a/.github/workflows/start-ga.yaml +++ b/.github/workflows/start-ga.yaml @@ -14,6 +14,9 @@ on: default: "beta-releases" required: false +permissions: + contents: write # To create the new branch and push it + jobs: startRelease: name: Start new GA release diff --git a/.github/workflows/update-electron.yaml b/.github/workflows/update-electron.yaml index 516eb7f4cf8..5953c16a57f 100644 --- a/.github/workflows/update-electron.yaml +++ b/.github/workflows/update-electron.yaml @@ -4,7 +4,10 @@ name: Update electron on: workflow_dispatch: schedule: - - cron: '0 0 * * *' + - cron: "0 0 * * *" + +permissions: + contents: none # We use the github app token to push the changes jobs: update_generated_files: @@ -21,13 +24,13 @@ jobs: - uses: actions/checkout@v4 with: # don't checkout a detatched HEAD - ref: ${{ github.head_ref }} + ref: ${{ github.head_ref || github.ref_name }} token: ${{ steps.app-token.outputs.token }} - uses: actions/setup-node@v4 with: node-version: 20.16.0 - cache: 'npm' + cache: "npm" - name: Install npm@10.2.4 run: | @@ -43,9 +46,10 @@ jobs: uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # 7.0.5 with: token: ${{ steps.app-token.outputs.token }} - commit-message: 'chore(deps): update electron' + commit-message: "chore(deps): update electron" branch: ci/update-electron - title: 'chore(deps): update electron' + title: "chore(deps): update electron" labels: no-title-validation + author: "${{ steps.app-token.outputs.app-slug}}[bot] <${{ steps.app-token.outputs.app-email }}>" body: | - Update electron From d2a65ef3850f0e5f127968cbb3d99c2793a61893 Mon Sep 17 00:00:00 2001 From: Nikola Irinchev Date: Mon, 27 Jan 2025 14:16:24 +0100 Subject: [PATCH 3/4] Simplify bump packages --- .github/workflows/bump-packages.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/bump-packages.yaml b/.github/workflows/bump-packages.yaml index e588d18bb52..3aede47c059 100644 --- a/.github/workflows/bump-packages.yaml +++ b/.github/workflows/bump-packages.yaml @@ -42,12 +42,8 @@ jobs: - name: Bump packages env: - LAST_BUMP_COMMIT_MESSAGE: "chore(release): bump package versions" SKIP_BUMP_PACKAGES: "mongodb-compass" - run: | - npm run bump-packages - git add . - git commit --no-allow-empty -m "$LAST_BUMP_COMMIT_MESSAGE" || true + run: npm run bump-packages - name: Create Pull Request uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # 7.0.5 From 45899f300c6766bf489e1f8b3c9773df30e041c4 Mon Sep 17 00:00:00 2001 From: Nikola Irinchev Date: Mon, 27 Jan 2025 14:47:31 +0100 Subject: [PATCH 4/4] Revert to the old token syntax --- .github/workflows/start-beta.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/start-beta.yml b/.github/workflows/start-beta.yml index 9de6e54f950..c2e6aa65763 100644 --- a/.github/workflows/start-beta.yml +++ b/.github/workflows/start-beta.yml @@ -46,7 +46,7 @@ jobs: - name: Start Release env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} run: | node scripts/release.js beta \ --merge-branch="${{ github.event.inputs.mergeBranch || 'main' }}" \