From 40120aafa0a8f403d04f49232b34c253d71e4e61 Mon Sep 17 00:00:00 2001 From: Jon Ayers Date: Tue, 29 Oct 2024 01:00:46 +0000 Subject: [PATCH 1/5] fix: fix security workflow not installing protoc properly --- .github/workflows/security.yaml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index f71119afb22d7..f031511938f40 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -3,7 +3,6 @@ name: "security" permissions: actions: read contents: read - security-events: write on: workflow_dispatch: @@ -23,6 +22,8 @@ concurrency: jobs: codeql: + permissions: + security-events: write runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} steps: - name: Harden Runner @@ -61,6 +62,8 @@ jobs: "${{ secrets.SLACK_SECURITY_FAILURE_WEBHOOK_URL }}" trivy: + permissions: + security-events: write runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} steps: - name: Harden Runner @@ -95,13 +98,21 @@ jobs: # protoc must be in lockstep with our dogfood Dockerfile or the # version in the comments will differ. This is also defined in # ci.yaml. - set -x + set -euxo pipefail cd dogfood/contents + mkdir -p /usr/local/bin + mkdir -p /usr/local/include + DOCKER_BUILDKIT=1 docker build . --target proto -t protoc protoc_path=/usr/local/bin/protoc docker run --rm --entrypoint cat protoc /tmp/bin/protoc > $protoc_path chmod +x $protoc_path protoc --version + # Copy the generated files to the include directory. + docker run --rm -v /usr/local/include:/target protoc cp -r /tmp/include/* /target/ + chown -R $(id -u):$(id -g) /usr/local/include + ls -la /usr/local/include/google/protobuf/ + stat /usr/local/include/google/protobuf/timestamp.proto - name: Build Coder linux amd64 Docker image id: build From 94efa16052749e8beef7c0957a522442c5a80322 Mon Sep 17 00:00:00 2001 From: Jon Ayers Date: Tue, 29 Oct 2024 01:13:59 +0000 Subject: [PATCH 2/5] fix(security): quote path to handle special chars --- .github/workflows/security.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index f031511938f40..a7da5c456dc16 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -109,7 +109,7 @@ jobs: chmod +x $protoc_path protoc --version # Copy the generated files to the include directory. - docker run --rm -v /usr/local/include:/target protoc cp -r /tmp/include/* /target/ + docker run --rm -v /usr/local/include:/target protoc cp -r "/tmp/include/*" /target/ chown -R $(id -u):$(id -g) /usr/local/include ls -la /usr/local/include/google/protobuf/ stat /usr/local/include/google/protobuf/timestamp.proto From 42acbe93fed1ff7dade55f0b868d200082aa3aab Mon Sep 17 00:00:00 2001 From: Jon Ayers Date: Tue, 29 Oct 2024 01:18:09 +0000 Subject: [PATCH 3/5] Fix include path in Docker copy command --- .github/workflows/security.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index a7da5c456dc16..8d018f8d26a2c 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -109,7 +109,7 @@ jobs: chmod +x $protoc_path protoc --version # Copy the generated files to the include directory. - docker run --rm -v /usr/local/include:/target protoc cp -r "/tmp/include/*" /target/ + docker run --rm -v /usr/local/include:/target protoc cp -r /tmp/include/google /target/ chown -R $(id -u):$(id -g) /usr/local/include ls -la /usr/local/include/google/protobuf/ stat /usr/local/include/google/protobuf/timestamp.proto From 6a6ab5c7712bb62eef678b3b6a58278347138f60 Mon Sep 17 00:00:00 2001 From: Jon Ayers Date: Tue, 29 Oct 2024 01:22:33 +0000 Subject: [PATCH 4/5] Fix permission command in 'security.yaml' workflow --- .github/workflows/security.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 8d018f8d26a2c..3b3c72088a6a0 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -110,7 +110,7 @@ jobs: protoc --version # Copy the generated files to the include directory. docker run --rm -v /usr/local/include:/target protoc cp -r /tmp/include/google /target/ - chown -R $(id -u):$(id -g) /usr/local/include + #chown -R $(id -u):$(id -g) /usr/local/include ls -la /usr/local/include/google/protobuf/ stat /usr/local/include/google/protobuf/timestamp.proto From 484d0418ec3d9a169248b7d3dc1ec3c65f46fabe Mon Sep 17 00:00:00 2001 From: Jon Ayers Date: Tue, 29 Oct 2024 01:26:43 +0000 Subject: [PATCH 5/5] Remove unused chown command in security workflow --- .github/workflows/security.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 3b3c72088a6a0..4ae50b2aa4792 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -110,7 +110,6 @@ jobs: protoc --version # Copy the generated files to the include directory. docker run --rm -v /usr/local/include:/target protoc cp -r /tmp/include/google /target/ - #chown -R $(id -u):$(id -g) /usr/local/include ls -la /usr/local/include/google/protobuf/ stat /usr/local/include/google/protobuf/timestamp.proto