e59a21752d
Potential fix for https://github.com/scylladb/scylladb/security/code-scanning/147. To fix the problem, add an explicit `permissions:` block to the workflow (either at the top level or inside the `trigger-jenkins` job) that constrains the `GITHUB_TOKEN` to the minimal necessary privileges. This codifies least-privilege in the workflow itself instead of relying on repository or organization defaults. The best minimal, non‑breaking change is to define a root‑level `permissions:` block with read‑only contents access because the job does not perform any write operations to the repository, nor does it interact with issues, pull requests, or other GitHub resources. A conservative, widely accepted baseline is `contents: read`. If later steps require more permissions, they can be added explicitly, but for this snippet, no such need is visible. Concretely, in `.github/workflows/trigger_jenkins.yaml`, insert: ```yaml permissions: contents: read ``` between the `name:` block and the `on:` block (e.g., after line 2). No additional methods, imports, or definitions are needed since this is a pure YAML configuration change and does not alter runtime behavior of the existing shell steps. Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Closes scylladb/scylladb#27815
54 lines
1.9 KiB
YAML
54 lines
1.9 KiB
YAML
name: Trigger next gating
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- next**
|
|
|
|
jobs:
|
|
trigger-jenkins:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Determine Jenkins Job Name
|
|
run: |
|
|
if [[ "${{ github.ref_name }}" == "next" ]]; then
|
|
FOLDER_NAME="scylla-master"
|
|
elif [[ "${{ github.ref_name }}" == "next-enterprise" ]]; then
|
|
FOLDER_NAME="scylla-enterprise"
|
|
else
|
|
VERSION=$(echo "${{ github.ref_name }}" | awk -F'-' '{print $2}')
|
|
if [[ "$VERSION" =~ ^202[0-4]\.[0-9]+$ ]]; then
|
|
FOLDER_NAME="enterprise-$VERSION"
|
|
elif [[ "$VERSION" =~ ^[0-9]+\.[0-9]+$ ]]; then
|
|
FOLDER_NAME="scylla-$VERSION"
|
|
fi
|
|
fi
|
|
echo "JOB_NAME=${FOLDER_NAME}/job/next" >> $GITHUB_ENV
|
|
|
|
- name: Trigger Jenkins Job
|
|
env:
|
|
JENKINS_USER: ${{ secrets.JENKINS_USERNAME }}
|
|
JENKINS_API_TOKEN: ${{ secrets.JENKINS_TOKEN }}
|
|
JENKINS_URL: "https://jenkins.scylladb.com"
|
|
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
|
|
run: |
|
|
echo "Triggering Jenkins Job: $JOB_NAME"
|
|
if ! curl -X POST "$JENKINS_URL/job/$JOB_NAME/buildWithParameters" --fail --user "$JENKINS_USER:$JENKINS_API_TOKEN" -i -v; then
|
|
echo "Error: Jenkins job trigger failed"
|
|
|
|
# Send Slack message
|
|
curl -X POST -H 'Content-type: application/json' \
|
|
-H "Authorization: Bearer $SLACK_BOT_TOKEN" \
|
|
--data '{
|
|
"channel": "#releng-team",
|
|
"text": "🚨 @here '$JOB_NAME' failed to be triggered, please check https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} for more details",
|
|
"icon_emoji": ":warning:"
|
|
}' \
|
|
https://slack.com/api/chat.postMessage
|
|
|
|
exit 1
|
|
fi
|