From fe616debbe5bdf4c336c7a9487575685e9e9414d Mon Sep 17 00:00:00 2001 From: ActoryOu Date: Fri, 22 Nov 2024 17:46:51 +0800 Subject: [PATCH] Follow Security Guide to update YAML files. (#1925) * Follow Security Guide to update YAML files. * Update checkout version to v4 --- .github/workflows/tag-and-zip.yml | 39 ++++++++++++++++--------- .github/workflows/update-submodules.yml | 7 +++-- .github/workflows/version-updater.yml | 21 +++++++++---- 3 files changed, 46 insertions(+), 21 deletions(-) diff --git a/.github/workflows/tag-and-zip.yml b/.github/workflows/tag-and-zip.yml index 561beb2815..31c3ff7461 100644 --- a/.github/workflows/tag-and-zip.yml +++ b/.github/workflows/tag-and-zip.yml @@ -16,22 +16,27 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 with: ref: ${{ github.event.inputs.commit_id }} - name: Configure git identity run: | git config --global user.name "Release Workflow" - name: Tag Commit and Push to remote + env: + VERSION_NUMBER: ${{ github.event.inputs.version_number }} run: | - git tag ${{ github.event.inputs.version_number }} -a -m "AWS IoT Device SDK for Embedded C version ${{ github.event.inputs.version_number }}" + git tag "$VERSION_NUMBER" -a -m "AWS IoT Device SDK for Embedded C version $VERSION_NUMBER" git push origin --tags - name: Verify tag on remote + env: + VERSION_NUMBER: ${{ github.event.inputs.version_number }} + COMMIT_ID: ${{ github.event.inputs.commit_id }} run: | - git tag -d ${{ github.event.inputs.version_number }} + git tag -d "$VERSION_NUMBER" git remote update - git checkout tags/${{ github.event.inputs.version_number }} - git diff ${{ github.event.inputs.commit_id }} tags/${{ github.event.inputs.version_number }} + git checkout tags/"$VERSION_NUMBER" + git diff "$COMMIT_ID" tags/"$VERSION_NUMBER" create-zip: needs: tag-commit name: Create ZIP and verify package for release asset. @@ -40,7 +45,7 @@ jobs: - name: Install ZIP tools run: sudo apt-get install zip unzip - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 with: ref: ${{ github.event.inputs.commit_id }} path: aws-iot-device-sdk-embedded-C @@ -54,18 +59,22 @@ jobs: zip -r aws-iot-device-sdk-embedded-C-${{ github.event.inputs.version_number }}.zip aws-iot-device-sdk-embedded-C -x "*.git*" ls ./ - name: Validate created ZIP + env: + VERSION_NUMBER: ${{ github.event.inputs.version_number }} run: | mkdir zip-check - mv aws-iot-device-sdk-embedded-C-${{ github.event.inputs.version_number }}.zip zip-check + mv aws-iot-device-sdk-embedded-C-"$VERSION_NUMBER".zip zip-check cd zip-check - unzip aws-iot-device-sdk-embedded-C-${{ github.event.inputs.version_number }}.zip -d aws-iot-device-sdk-embedded-C-${{ github.event.inputs.version_number }} - ls aws-iot-device-sdk-embedded-C-${{ github.event.inputs.version_number }} - diff -r -x "*.git*" aws-iot-device-sdk-embedded-C-${{ github.event.inputs.version_number }}/aws-iot-device-sdk-embedded-C/ ../aws-iot-device-sdk-embedded-C/ + unzip aws-iot-device-sdk-embedded-C-"$VERSION_NUMBER".zip -d aws-iot-device-sdk-embedded-C-"$VERSION_NUMBER" + ls aws-iot-device-sdk-embedded-C-"$VERSION_NUMBER" + diff -r -x "*.git*" aws-iot-device-sdk-embedded-C-"$VERSION_NUMBER"/aws-iot-device-sdk-embedded-C/ ../aws-iot-device-sdk-embedded-C/ cd ../ - name : Build Check Demos + env: + VERSION_NUMBER: ${{ github.event.inputs.version_number }} run: | sudo apt-get install -y libmosquitto-dev - cd zip-check/aws-iot-device-sdk-embedded-C-${{ github.event.inputs.version_number }}/aws-iot-device-sdk-embedded-C/ + cd zip-check/aws-iot-device-sdk-embedded-C-"$VERSION_NUMBER"/aws-iot-device-sdk-embedded-C/ cmake -S . -B build/ \ -G "Unix Makefiles" \ -DBUILD_DEMOS=1 \ @@ -89,8 +98,10 @@ jobs: make -C build/ help | grep demo | tr -d '. ' | xargs make -C build/ -j8 make -C demos/jobs/jobs_demo_mosquitto -j8 - name : Build Check Tests + env: + VERSION_NUMBER: ${{ github.event.inputs.version_number }} run: | - cd zip-check/aws-iot-device-sdk-embedded-C-${{ github.event.inputs.version_number }}/aws-iot-device-sdk-embedded-C/ + cd zip-check/aws-iot-device-sdk-embedded-C-"$VERSION_NUMBER"/aws-iot-device-sdk-embedded-C/ rm -rf ./build cmake -S . -B build/ \ -G "Unix Makefiles" \ @@ -105,8 +116,10 @@ jobs: -DCLIENT_IDENTIFIER="ci-identifier" make -C build/ all -j8 - name: Run Unit Tests + env: + VERSION_NUMBER: ${{ github.event.inputs.version_number }} run: | - cd zip-check/aws-iot-device-sdk-embedded-C-${{ github.event.inputs.version_number }}/aws-iot-device-sdk-embedded-C/build/ + cd zip-check/aws-iot-device-sdk-embedded-C-"$VERSION_NUMBER"/aws-iot-device-sdk-embedded-C/build/ ctest -E system --output-on-failure cd .. - name: Create artifact of ZIP diff --git a/.github/workflows/update-submodules.yml b/.github/workflows/update-submodules.yml index f46ae14778..13d8aa3cce 100644 --- a/.github/workflows/update-submodules.yml +++ b/.github/workflows/update-submodules.yml @@ -25,8 +25,10 @@ jobs: run: | git config --global user.name "Submodule Updater" - name: Update the submodules + env: + ALLOWED: ${{ github.event.inputs.allowed }} run: | - libs=$(find libraries/standard libraries/aws -maxdepth 1 -mindepth 1 | grep "${{ github.event.inputs.allowed }}") + libs=$(find libraries/standard libraries/aws -maxdepth 1 -mindepth 1 | grep "$ALLOWED") git submodule update --remote $libs - name: Commit changes and Push to remote run: | @@ -38,5 +40,6 @@ jobs: - name: Raise a Pull-Request env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + BRANCH: ${{ github.event.inputs.branch }} run: | - gh pr create --base ${{ github.event.inputs.branch }} --title 'Update library submodules to the latest' --body 'Update library submodules to the latest' + gh pr create --base "$BRANCH" --title 'Update library submodules to the latest' --body 'Update library submodules to the latest' diff --git a/.github/workflows/version-updater.yml b/.github/workflows/version-updater.yml index 5c9f5469c9..40bd24b1e7 100644 --- a/.github/workflows/version-updater.yml +++ b/.github/workflows/version-updater.yml @@ -19,26 +19,35 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 with: ref: ${{ github.event.inputs.branch }} - name: Configure git identity run: | git config --global user.name "Version Updater" - name: Update source files with new version + env: + OLD_VERSION_NUMBER: ${{ github.event.inputs.old_version_number }} + NEW_VERSION_NUMBER: ${{ github.event.inputs.new_version_number }} run: | - grep -ilr ${{ github.event.inputs.old_version_number }} . | grep -Ev ".git|CHANGELOG.md|README.md|CONTRIBUTING.md" | xargs sed -i s/${{ github.event.inputs.old_version_number }}/${{ github.event.inputs.new_version_number }}/g + grep -ilr "$OLD_VERSION_NUMBER" . | grep -Ev ".git|CHANGELOG.md|README.md|CONTRIBUTING.md" | xargs sed -i s/"$OLD_VERSION_NUMBER"/"$NEW_VERSION_NUMBER"/g - name: Commit changes and Push to remote + env: + OLD_VERSION_NUMBER: ${{ github.event.inputs.old_version_number }} + NEW_VERSION_NUMBER: ${{ github.event.inputs.new_version_number }} run: | - git checkout -b updater-job/update-to-${{ github.event.inputs.new_version_number }} - git commit -am 'Update versioning in file from ${{ github.event.inputs.old_version_number }} to ${{ github.event.inputs.new_version_number }}' - git push --set-upstream origin updater-job/update-to-${{ github.event.inputs.new_version_number }} + git checkout -b updater-job/update-to-"$NEW_VERSION_NUMBER" + git commit -am "Update versioning in file from "$OLD_VERSION_NUMBER" to $NEW_VERSION_NUMBER" + git push --set-upstream origin updater-job/update-to-"$NEW_VERSION_NUMBER" - name: Raise a Pull-Request env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + OLD_VERSION_NUMBER: ${{ github.event.inputs.old_version_number }} + NEW_VERSION_NUMBER: ${{ github.event.inputs.new_version_number }} + BRANCH: ${{ github.event.inputs.branch }} run: | sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-key 23F3D4EA75716059 sudo apt-add-repository https://cli.github.com/packages sudo apt update sudo apt-get install gh - gh pr create --base ${{ github.event.inputs.branch }} --title 'Update source file versioning to ${{ github.event.inputs.new_version_number }}' --body 'Updater-Job: PR to update versioning in source files from ${{ github.event.inputs.old_version_numver }} to ${{ github.event.inputs.new_version_number }}' + gh pr create --base "$BRANCH" --title "Update source file versioning to $NEW_VERSION_NUMBER" --body "Updater-Job: PR to update versioning in source files from $OLD_VERSION_NUMBER to $NEW_VERSION_NUMBER"