mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 17:05:18 +00:00
05d38abc35
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.21 to 2.2.5. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's changelog</a>.</em></p> <blockquote> <h1>CodeQL Action Changelog</h1> <h2>[UNRELEASED]</h2> <p>No user facing changes.</p> <h2>2.2.5 - 24 Feb 2023</h2> <ul> <li>Update default CodeQL bundle version to 2.12.3. <a href="https://github-redirect.dependabot.com/github/codeql-action/pull/1543">#1543</a></li> </ul> <h2>2.2.4 - 10 Feb 2023</h2> <p>No user facing changes.</p> <h2>2.2.3 - 08 Feb 2023</h2> <ul> <li>Update default CodeQL bundle version to 2.12.2. <a href="https://github-redirect.dependabot.com/github/codeql-action/pull/1518">#1518</a></li> </ul> <h2>2.2.2 - 06 Feb 2023</h2> <ul> <li>Fix an issue where customers using the CodeQL Action with the <a href="https://docs.github.com/en/enterprise-server@3.7/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance#configuring-codeql-analysis-on-a-server-without-internet-access">CodeQL Action sync tool</a> would not be able to obtain the CodeQL tools. <a href="https://github-redirect.dependabot.com/github/codeql-action/pull/1517">#1517</a></li> </ul> <h2>2.2.1 - 27 Jan 2023</h2> <p>No user facing changes.</p> <h2>2.2.0 - 26 Jan 2023</h2> <ul> <li>Improve stability when choosing the default version of CodeQL to use in code scanning workflow runs on Actions on GitHub.com. <a href="https://github-redirect.dependabot.com/github/codeql-action/pull/1475">#1475</a> <ul> <li>This change addresses customer reports of code scanning alerts on GitHub.com being closed and reopened during the rollout of new versions of CodeQL in the GitHub Actions <a href="https://github.com/actions/runner-images">runner images</a>.</li> <li><strong>No change is required for the majority of workflows</strong>, including: <ul> <li>Workflows on GitHub.com hosted runners using the latest version (<code>v2</code>) of the CodeQL Action.</li> <li>Workflows on GitHub.com hosted runners that are pinned to specific versions of the CodeQL Action from <code>v2.2.0</code> onwards.</li> <li>Workflows on GitHub Enterprise Server.</li> </ul> </li> <li><strong>A change may be required</strong> for workflows on GitHub.com hosted runners that are pinned to specific versions of the CodeQL Action before <code>v2.2.0</code> (e.g. <code>v2.1.32</code>): <ul> <li>Previously, these workflows would obtain the latest version of CodeQL from the Actions runner image.</li> <li>Now, these workflows will download an older, compatible version of CodeQL from GitHub Releases. To use this older version, no change is required. To use the newest version of CodeQL, please update your workflows to reference the latest version of the CodeQL Action (<code>v2</code>).</li> </ul> </li> <li><strong>Internal changes</strong> <ul> <li>These changes will not affect the majority of code scanning workflows. Continue reading only if your workflow uses <a href="https://github.com/actions/toolkit/tree/main/packages/tool-cache"><code>@actions/tool-cache</code></a> or relies on the precise location of CodeQL within the Actions tool cache.</li> <li>The tool cache now contains <strong>two</strong> recent CodeQL versions (previously <strong>one</strong>).</li> <li>Each CodeQL version is located under a directory named after the release date and version number, e.g. CodeQL 2.11.6 is now located under <code>CodeQL/2.11.6-20221211/x64/codeql</code> (previously <code>CodeQL/0.0.0-20221211/x64/codeql</code>).</li> </ul> </li> </ul> </li> <li>The maximum number of <a href="https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#run-object">SARIF runs</a> per file has been increased from 15 to 20 for users uploading SARIF files to GitHub.com. This change will help ensure that Code Scanning can process SARIF files generated by third-party tools that have many runs. See the <a href="https://docs.github.com/en/rest/code-scanning#upload-an-analysis-as-sarif-data">GitHub API documentation</a> for a list of all the limits around uploading SARIF. This change will be released to GitHub Enterprise Server as part of GHES 3.9.</li> <li>Update default CodeQL bundle version to 2.12.1. <a href="https://github-redirect.dependabot.com/github/codeql-action/pull/1498">#1498</a></li> <li>Fix a bug that forced the <code>init</code> Action to run for at least two minutes on JavaScript. <a href="https://github-redirect.dependabot.com/github/codeql-action/pull/1494">#1494</a></li> </ul> <h2>2.1.39 - 18 Jan 2023</h2> <ul> <li>CodeQL Action v1 is now deprecated, and is no longer updated or supported. For better performance, improved security, and new features, upgrade to v2. For more information, see <a href="https://github.blog/changelog/2023-01-18-code-scanning-codeql-action-v1-is-now-deprecated/">this changelog post</a>. <a href="https://github-redirect.dependabot.com/github/codeql-action/pull/1466">#1467</a></li> <li>Python automatic dependency installation will no longer fail for projects using Poetry that specify <code>virtualenvs.options.no-pip = true</code> in their <code>poetry.toml</code>. <a href="https://github-redirect.dependabot.com/github/codeql-action/pull/1431">#1431</a></li> <li>Avoid printing a stack trace and error message when the action fails to find the SHA at the</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|---|---|---|
| .. | ||
| config | ||
| build-and-push-fleetctl-docker.yml | ||
| build-binaries.yaml | ||
| build-orbit.yaml | ||
| codeql-analysis.yml | ||
| deploy-fleet-website.yml | ||
| docs.yml | ||
| dogfood-deploy.yml | ||
| fleet-and-orbit.yml | ||
| fleetctl-preview-latest.yml | ||
| fleetctl-preview.yml | ||
| generate-desktop-targets.yml | ||
| generate-nudge-targets.yml | ||
| generate-osqueryd-targets.yml | ||
| golangci-lint.yml | ||
| goreleaser-fleet.yaml | ||
| goreleaser-orbit.yaml | ||
| goreleaser-snapshot-fleet.yaml | ||
| integration.yml | ||
| pr-helm.yaml | ||
| push-osquery-perf-to-ecr.yml | ||
| README.md | ||
| release-helm.yaml | ||
| scorecards-analysis.yml | ||
| test-db-changes.yml | ||
| test-go.yaml | ||
| test-native-tooling-packaging.yml | ||
| test-packaging.yml | ||
| test-website.yml | ||
| test.yml | ||
| tfsec.yml | ||
| tfvalidate.yml | ||
| trivy_scan.yml | ||
| update-certs.yml | ||
Github Actions
Fleet uses Github Actions for continuous integration (CI). This document describes best practices and at patterns for writing and maintaining Fleet's Github Actions workflows.
Bash
By default, Github Actions sets the shell to bash -e for linux and MacOS runners. To help write
safer bash scripts in run jobs and avoid common issues, override the default by adding the following
to the workflow file
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
By specifying the default shell to bash, some extra flags are set. The option pipefail changes
the behaviour when using the pipe | operator such that if any command in a pipeline fails, that
commands return code will be used a the return code for the whole pipeline. Consider the following
example in test-go.yaml
- name: Run Go Tests
run: |
# omitted ...
make test-go 2>&1 | tee /tmp/gotest.log
If the pipefail option was not set, this job would always succeed because tee would always
return success. This is not the intended behavior. Instead, we want the job to fail if make test-go fails.
Concurrency
Github Action runners are limited. If a lot of workflows are queued, they will wait in pending until a runner becomes available. This has caused issue in the past where workflows take an excessively long time to start. To help with this issue, use the following in workflows
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
When a workflow is triggered via a pull request, it will cancel previous running workflows for that
pull request. This is especially useful when changes are pushed to a pull request frequently.
Manually triggered workflows, workflows that run on a schedule, and workflows triggered by pushes to
main are unaffected.