Skip to content

releases: publish nightly builds of dev #12137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 59 commits into
base: dev
Choose a base branch
from
Open

releases: publish nightly builds of dev #12137

wants to merge 59 commits into from

Conversation

valentijnscholten
Copy link
Member

@valentijnscholten valentijnscholten commented Mar 30, 2025
edited
Loading

This PR uses the existing building blocks in our workflows to push a nightly build of the dev branch.

This is useful to user who want to test fixes or new features only available in dev. Or users who just want to run of dev which is very stable for Defect Dojo.

This PR also changes github.event.inputs.xxxx to inputs.xxx. This cost me a lot of time as the old input uses values provided in the UI when starting the workflow ignoring any values provided by the workflow files themselves.

I also tried to publish a nightly bugfix release. But the bugfix branch doesn't get its own version number. We have to decide if it's useful to publish these builds since we have a weekly release cadence for bugfix.

valentijnscholten_defectdojo-django general _ Docker Hub

@github-actions github-actions bot removed the docker label Mar 30, 2025
@valentijnscholten valentijnscholten marked this pull request as ready for review March 31, 2025 15:21
@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

GitHub Actions workflow updates for DefectDojo release processes reveal security vulnerabilities related to secrets handling, input validation, hardcoded credentials, cron scheduling, and workflow permissions.

Expand for full summary

Summary: GitHub Actions workflow patches for DefectDojo release processes, focusing on syntax updates, input handling, and release automation across multiple workflow files.

Security Findings:

  1. Secrets Handling Vulnerability

    • Multiple workflows use secrets: inherit, which could potentially expose more secrets than necessary
    • Risk: Unintended secret exposure across workflows

  2. Input Validation Weakness

    • Limited or no explicit input validation across workflows
    • Potential risk of input injection or unexpected behavior
    • Specifically noted in workflows like release-x-manual-merge-container-digests.yml

  3. Hardcoded Environment Variables

    • Several workflows use predefined, static Git usernames and email addresses
    • While not a critical vulnerability, could potentially be exploited if credentials are predictable

  4. Cron Syntax Issue

    • In release-nightly-dev.yml, the cron expression appears incorrect
    • Could lead to unexpected or missed scheduled builds

  5. Workflow Permission Considerations

    • No explicit workflow permissions defined in most workflows
    • Relies on default GitHub Actions permissions
    • Potential risk of overly broad access

View PR in the DryRun Dashboard.

@Maffooch Maffooch self-requested a review March 31, 2025 15:58
mtesauro
mtesauro approved these changes Apr 1, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch added this to the 2.46.0 milestone Apr 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtesauro mtesauro mtesauro approved these changes

@dogboat dogboat dogboat approved these changes

@hblankenship hblankenship hblankenship approved these changes

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

At least 4 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.46.0
Development

Successfully merging this pull request may close these issues.
5 participants
@valentijnscholten @mtesauro @dogboat @hblankenship @Maffooch