From aa5d8c4738469801c1a0bf637dae2c226b8a32c8 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Mon, 9 Dec 2024 15:27:21 -0500 Subject: [PATCH] fix: stop interacting with GHCR, disable scheduled jobs Pushes to and pulls from GHCR no longer work after 2024-12-09 because the secrets we use are no longer valid. What broke the secrets? They were (still are at the time of this commit) GitHub personal access keys belonging to the user @quipucords-bot, but on 2024-12-09 the @quipucords-bot user was demoted and removed from the org due to newly onerous security restrictions by Red Hat. Until we rewrite this code, probably to use to Quay instead of GHCR, the `reaper` repo will save no new images after PRs merge, and no scheduled jobs will run to reap the AWS and Azure accounts. --- .github/workflows/docker-build.yml | 3 +++ .github/workflows/schedule-reap-aws-dev.yml | 8 +++++--- .github/workflows/schedule-reap-aws-stage-prod.yml | 8 +++++--- .github/workflows/schedule-reap-azure.yml | 8 +++++--- 4 files changed, 18 insertions(+), 9 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 5368774..b508ba6 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -25,6 +25,9 @@ jobs: - run: docker pull $IMAGE_NAME:latest || true - run: docker build --cache-from $IMAGE_NAME:latest . deploy-build-and-push-image: + # Pushes to GHCR no longer work after 2024-12-09 because the secrets are no longer valid. + # I am leaving this code alive to indicate failure risks by GH actions when new code lands on main. + # Images are being built but will never successfully push to the GHCR using the bot's auth token. name: Build and Push Image if: github.ref == 'refs/heads/main' needs: [docker-build] diff --git a/.github/workflows/schedule-reap-aws-dev.yml b/.github/workflows/schedule-reap-aws-dev.yml index 0c0cdea..c487d85 100644 --- a/.github/workflows/schedule-reap-aws-dev.yml +++ b/.github/workflows/schedule-reap-aws-dev.yml @@ -4,9 +4,11 @@ env: IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/reaper AWS_DEFAULT_REGION: us-east-1 -on: - schedule: - - cron: '0 2 * * *' +# Disabling all scheduled jobs for now. +# Pulls from GHCR no longer work after 2024-12-09 because the secrets are no longer valid. +# on: +# schedule: +# - cron: '0 2 * * *' jobs: docker: diff --git a/.github/workflows/schedule-reap-aws-stage-prod.yml b/.github/workflows/schedule-reap-aws-stage-prod.yml index 8b6a4a2..a1928d3 100644 --- a/.github/workflows/schedule-reap-aws-stage-prod.yml +++ b/.github/workflows/schedule-reap-aws-stage-prod.yml @@ -4,9 +4,11 @@ env: IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/reaper AWS_DEFAULT_REGION: us-east-1 -on: - schedule: - - cron: '30 * * * *' +# Disabling all scheduled jobs for now. +# Pulls from GHCR no longer work after 2024-12-09 because the secrets are no longer valid. +# on: +# schedule: +# - cron: '30 * * * *' jobs: docker: diff --git a/.github/workflows/schedule-reap-azure.yml b/.github/workflows/schedule-reap-azure.yml index 18d7131..6036dea 100644 --- a/.github/workflows/schedule-reap-azure.yml +++ b/.github/workflows/schedule-reap-azure.yml @@ -3,9 +3,11 @@ name: Scheduled reap Azure tenants env: IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/reaper -on: - schedule: - - cron: '0 3 * * *' +# Disabling all scheduled jobs for now. +# Pulls from GHCR no longer work after 2024-12-09 because the secrets are no longer valid. +# on: +# schedule: +# - cron: '0 3 * * *' jobs: docker: