feat: add workflow templates #1
Conversation
Signed-off-by: gatici <[email protected]>
|
This is still in-progress. |
| else | ||
| echo "Version change not for release" |
There was a problem hiding this comment.
Maybe we want to exit or return right away here to bypass the rest of the code.
| else | |
| echo "Version change not for release" | |
| else | |
| echo "Version change not for release" | |
| exit 0 |
| version=$(cat VERSION) | ||
| version_before_full=${{ steps.version-file.outputs.version_before }} | ||
| version_before=${version_before_full::-4} | ||
| echo "version=$version" |
There was a problem hiding this comment.
I think we need to validate the content of VERSION before doing anything with it. Here, a bad actor could propose a PR where the VERSION file contains something like "v1.5.0 ; echo $GITHUB_TOKEN" and extract sensitive information.
While this example would probably be easy to spot, there have been some high profiles attack on open-source projects this year and I think we need to be a bit more cautious here.
This same comment would be valid everywhere we use content from the VERSION file.
| with: | ||
| registry: ${{ env.REGISTRY }} | ||
| username: "omectesting" | ||
| password: "dckr_pat_Up1vh3lGEKIfGDJuEj7Qb7OfdEE" |
There was a problem hiding this comment.
Shouldn't this be a secret?
This particular password should also be changed and not put as is in a secret.
| DOCKER_TAG: ${{ env.VERSION }}-testing | ||
| run: | | ||
| echo "Deleting Docker image tag: ${DOCKER_TAG}" | ||
| curl -u omectesting:dckr_pat_Up1vh3lGEKIfGDJuEj7Qb7OfdEE -X "DELETE" https://hub.docker.com/v2/repositories/${DOCKER_REPOSITORY}/5gc-amf/tags/${{ env.DOCKER_TAG }}/ |
There was a problem hiding this comment.
Same comment regarding the password
| - uses: peterjgrainger/[email protected] | ||
| with: | ||
| branch: "rel-${{ inputs.version-branch }}" | ||
| sha: '${{ github.event.pull_request.head.sha }}' |
There was a problem hiding this comment.
Please add EOL in all files. Thanks!
|
|
||
| - name: Increment version | ||
| run: | | ||
| version=${{ input.release-version }} |
There was a problem hiding this comment.
| version=${{ input.release-version }} | |
| version=${{ inputs.release-version }} |
| runs-on: ubuntu-latest | ||
| if: ${{ input.release-changed == 'true' }} |
There was a problem hiding this comment.
Given that you are defining this variable as boolean, do you need to indicate true as a string?
| runs-on: ubuntu-latest | |
| if: ${{ input.release-changed == 'true' }} | |
| if: ${{ inputs.release-changed == 'true' }} | |
| runs-on: ubuntu-latest |
Adding each job templates can we used in any repository by providing input variables.