From 40120aafa0a8f403d04f49232b34c253d71e4e61 Mon Sep 17 00:00:00 2001 From: Jon Ayers Date: Tue, 29 Oct 2024 01:00:46 +0000 Subject: [PATCH 1/5] fix: fix security workflow not installing protoc properly --- .github/workflows/security.yaml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index f71119afb22d7..f031511938f40 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -3,7 +3,6 @@ name: "security" permissions: actions: read contents: read - security-events: write on: workflow_dispatch: @@ -23,6 +22,8 @@ concurrency: jobs: codeql: + permissions: + security-events: write runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} steps: - name: Harden Runner @@ -61,6 +62,8 @@ jobs: "${{ secrets.SLACK_SECURITY_FAILURE_WEBHOOK_URL }}" trivy: + permissions: + security-events: write runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} steps: - name: Harden Runner @@ -95,13 +98,21 @@ jobs: # protoc must be in lockstep with our dogfood Dockerfile or the # version in the comments will differ. This is also defined in # ci.yaml. - set -x + set -euxo pipefail cd dogfood/contents + mkdir -p /usr/local/bin + mkdir -p /usr/local/include + DOCKER_BUILDKIT=1 docker build . --target proto -t protoc protoc_path=/usr/local/bin/protoc docker run --rm --entrypoint cat protoc /tmp/bin/protoc > $protoc_path chmod +x $protoc_path protoc --version + # Copy the generated files to the include directory. + docker run --rm -v /usr/local/include:/target protoc cp -r /tmp/include/* /target/ + chown -R $(id -u):$(id -g) /usr/local/include + ls -la /usr/local/include/google/protobuf/ + stat /usr/local/include/google/protobuf/timestamp.proto - name: Build Coder linux amd64 Docker image id: build From 94efa16052749e8beef7c0957a522442c5a80322 Mon Sep 17 00:00:00 2001 From: Jon Ayers Date: Tue, 29 Oct 2024 01:13:59 +0000 Subject: [PATCH 2/5] fix(security): quote path to handle special chars --- .github/workflows/security.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index f031511938f40..a7da5c456dc16 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -109,7 +109,7 @@ jobs: chmod +x $protoc_path protoc --version # Copy the generated files to the include directory. - docker run --rm -v /usr/local/include:/target protoc cp -r /tmp/include/* /target/ + docker run --rm -v /usr/local/include:/target protoc cp -r "/tmp/include/*" /target/ chown -R $(id -u):$(id -g) /usr/local/include ls -la /usr/local/include/google/protobuf/ stat /usr/local/include/google/protobuf/timestamp.proto From 42acbe93fed1ff7dade55f0b868d200082aa3aab Mon Sep 17 00:00:00 2001 From: Jon Ayers Date: Tue, 29 Oct 2024 01:18:09 +0000 Subject: [PATCH 3/5] Fix include path in Docker copy command --- .github/workflows/security.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index a7da5c456dc16..8d018f8d26a2c 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -109,7 +109,7 @@ jobs: chmod +x $protoc_path protoc --version # Copy the generated files to the include directory. - docker run --rm -v /usr/local/include:/target protoc cp -r "/tmp/include/*" /target/ + docker run --rm -v /usr/local/include:/target protoc cp -r /tmp/include/google /target/ chown -R $(id -u):$(id -g) /usr/local/include ls -la /usr/local/include/google/protobuf/ stat /usr/local/include/google/protobuf/timestamp.proto From 6a6ab5c7712bb62eef678b3b6a58278347138f60 Mon Sep 17 00:00:00 2001 From: Jon Ayers Date: Tue, 29 Oct 2024 01:22:33 +0000 Subject: [PATCH 4/5] Fix permission command in 'security.yaml' workflow --- .github/workflows/security.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 8d018f8d26a2c..3b3c72088a6a0 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -110,7 +110,7 @@ jobs: protoc --version # Copy the generated files to the include directory. docker run --rm -v /usr/local/include:/target protoc cp -r /tmp/include/google /target/ - chown -R $(id -u):$(id -g) /usr/local/include + #chown -R $(id -u):$(id -g) /usr/local/include ls -la /usr/local/include/google/protobuf/ stat /usr/local/include/google/protobuf/timestamp.proto From 484d0418ec3d9a169248b7d3dc1ec3c65f46fabe Mon Sep 17 00:00:00 2001 From: Jon Ayers Date: Tue, 29 Oct 2024 01:26:43 +0000 Subject: [PATCH 5/5] Remove unused chown command in security workflow --- .github/workflows/security.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 3b3c72088a6a0..4ae50b2aa4792 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -110,7 +110,6 @@ jobs: protoc --version # Copy the generated files to the include directory. docker run --rm -v /usr/local/include:/target protoc cp -r /tmp/include/google /target/ - #chown -R $(id -u):$(id -g) /usr/local/include ls -la /usr/local/include/google/protobuf/ stat /usr/local/include/google/protobuf/timestamp.proto pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy