Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Silently failing GitHub Action Workflows because of failed allowed version propagation #911

Open
triffer opened this issue May 15, 2024 · 0 comments
Open

Silently failing GitHub Action Workflows because of failed allowed version propagation #911

triffer opened this issue May 15, 2024 · 0 comments
Assignees
@TorstenD-SAP
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@triffer
Copy link
Contributor

triffer commented May 15, 2024
edited
Loading

Description

The issue arose from a post-mortem conducted by the Goat team, because unit tests had not been running on pull requests for several days.
In case a not allowed version of a GitHub Action is used in a GitHub Actions Workflow, this workflow will fail silently on startup. In this specific case the blocked Action was part of the Workflow running on pull requests and as part of this Workflow also unit tests are executed. The failed Workflow was not considered as a Check required by pull requests and therefore was not blocking the merge of pull requests. This led to a state where pull requests could be merged without the requirement that unit tests were executed.

This can be easily reproduced and there is no prevention that this can happen again.
The following steps led to faulty state:

  • PR with an update of golangci/golangci-lint-action to version 9d1e0624a798bb64f6c3cea93db47765312263dc was created by Dependabot
  • Version 9d1e0624a798bb64f6c3cea93db47765312263dc was added to the allowed_actions.json in this PR.
  • The Dependabot PR was merged several days later
  • The new version 9d1e0624a798bb64f6c3cea93db47765312263dc of golangci/golangci-lint-action was not available as allowed action in the api-gateway repository. It's important to consider, that the availability of this allowed action can only be checked by repository admins, so not everyone on the team might be able to do this.
  • The pull request Workflow in api-gateway started to run into a Startup failure and PRs did no report the failed pull request workflow, but were mergeable.(Failed pull-request run).

Multiple teams already mentioned problems with allowed versions propagation and silently failing GitHub Workflows in the past. So in the post mortem we made the assumption that the propagation of allowed versions is done manually.

We consider it a critical issue that Workflows failing with status Startup failure are not considered relevant for pull request checks. This means a Startup failure, e.g. by using a not allowed action can prevent running Workflows silently and therefore failing our testing strategy.

Additionally, we get regularly Dependabot PRs to update GitHub Actions versions. Since we want to keep those dependencies up to date, we need to add the new versions in the allowed_actions.json. Since the propagation of allowed versions seems to be done manually, there is a risk that one or more of our workflows will break with each new version of a GitHub Actions.

Expected result
Propagation of Allowed GitHub Actions is reliable.

Actual result
Propagation of allowed versions and execution of GitHub Workflows is not reliable.

Steps to reproduce
Can be found in the description.

Troubleshooting
@triffer triffer added the kind/bug Categorizes issue or PR as related to a bug. label May 15, 2024
@barchw barchw mentioned this issue Jul 11, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TorstenD-SAP TorstenD-SAP

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@triffer @TorstenD-SAP