Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(GHA): Pin azure/setup-helm #11493

Merged
merged 3 commits into from
Jan 29, 2025
Merged

feat(GHA): Pin azure/setup-helm #11493

merged 3 commits into from
Jan 29, 2025

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Jan 2, 2025

Add pinact which is able to detect unpinned GHA

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jan 2, 2025
edited
Loading

DryRun Security Summary

The pull request modifies the DefectDojo Helm chart release workflow by implementing secure practices such as dependency version pinning and structured release steps, while maintaining the integrity of the release process through separate branch management for the Helm repository index.

Expand for full summary

Summary:

The changes in this pull request are focused on the release process of the DefectDojo Helm chart and do not introduce any obvious security concerns. The GitHub Actions workflow responsible for the Helm chart release follows best practices, such as pinning dependencies to specific versions and updating the Helm repository index in a separate branch. These practices help maintain the security and reliability of the release process.

The key changes include setting up the Helm CLI with a specific, known version, configuring the Bitnami Helm repository, pinning the Docker image version to the release number, packaging the Helm chart, creating a new GitHub release, and updating the Helm repository index. All of these steps are standard parts of the release process and do not raise any immediate security concerns.

Files Changed:

  • .github/workflows/release-x-manual-helm-chart.yml: This file contains the GitHub Actions workflow responsible for the release of the DefectDojo Helm chart. The changes include:
    • Pinning the Helm CLI setup action to a specific commit hash to ensure a known version is used.
    • Configuring the Bitnami Helm repository and updating the dependencies for the DefectDojo Helm chart.
    • Pinning the Docker image version to the release number in the values.yaml file.
    • Packaging the DefectDojo Helm chart and storing the artifact.
    • Creating a new GitHub release and attaching the packaged Helm chart.
    • Updating the Helm repository index file (index.yaml) in a separate branch to maintain the integrity of the Helm repository.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

@kiblik kiblik marked this pull request as draft January 3, 2025 11:20
Maffooch
Maffooch requested changes Jan 3, 2025
View reviewed changes
.github/workflows/gha-pin.yml Outdated Show resolved Hide resolved
@kiblik kiblik changed the title feat(GHA): Add pinact (gha pin checker) feat(GHA): Pin azure/setup-helm Jan 25, 2025
@kiblik
Copy link
Contributor Author

kiblik commented Jan 25, 2025

I dropped pinact-action because it wasn't possible to use it without pinning another pinning: suzuki-shunsuke/pinact-action#505

The pin is not missing that often. Keeping another config would just increase overhead.

@kiblik kiblik requested a review from Maffooch January 25, 2025 16:14
@kiblik kiblik marked this pull request as ready for review January 25, 2025 16:14
mtesauro
mtesauro approved these changes Jan 27, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch merged commit 420bf66 into DefectDojo:dev Jan 29, 2025
73 checks passed
@kiblik kiblik deleted the gha_pin2 branch January 29, 2025 23:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtesauro mtesauro mtesauro approved these changes

@dogboat dogboat dogboat approved these changes

@hblankenship hblankenship hblankenship approved these changes

@Maffooch Maffooch Maffooch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kiblik @mtesauro @dogboat @hblankenship @Maffooch