Fix: Resolve Checkov CKV2_GHA_1 error by setting root permissions for workflows (closes #3026) #3032
Conversation
andrewvaughan
requested review from
nvuillam,
echoix,
bdovaz and
Kurt-von-Laven
as code owners
|
Wow! I like that style! It's not rare to have questions from new users that would have needed these kind of hints, either on usage or configuration. |
With all due respect, not according to Edit: Though works just as well, and is perhaps more readable. |
Thanks! If you like my documentation design, you might like my https://github.com/andrewvaughan/template-core project. I've been revamping it the past week or so. |
You're absolutely right and was a misunderstanding of how I understood |
|
I think there will be missing to sync up the other files and I'll take a new look |
mega-linter-runner/generators/mega-linter/templates/mega-linter.yml
Outdated
Show resolved
Hide resolved
I've been thinking on this further... I think keeping the more readable version: Has one major benefit - it's super easy to understand what's going on there. I do quite a bit with GitHub Actions programming and even I missed exactly what was going on with the Either way, it's your call, but if you could please make a proposed change (if any) for the files as to how you'd like it to look, I'll accept them. Thanks! |
|
QQ for the maintainers - I haven't been super verbose with my commit message when accepting proposals. Do you want me to squash those commits when we've resolved all conversations, or is that something you'll manage during acceptance of the PR? |
|
It'll be a squashed commit at the end... so it doesn't really matter. You always could pre-squash them if you'd like, you'd be one of the first to do it, but the committing style hasn't been held to a high standard here yet. |
I agree with the second though, going with the explicit boolean expression that any programmer should be able to figure out without any docs. |
I'll let y'all do it so you can determine what messages are helpful and what aren't. My SDLc actually asks people not to pre-squash for that reason. |
andrewvaughan
force-pushed
the
bug/3026/checkov-CKV2_GHA_1
branch
from
febce26 to
aa96d18
Compare
|
Just rebased the branch from |
I found out that we can use github.ref == format('refs/heads/{0}', github.event.repository.default_branch)instead of specifying what is the default branch in a or condition, What do you think? |
mega-linter-runner/generators/mega-linter/templates/mega-linter.yml
Outdated
Show resolved
Hide resolved
| # Uncomment to disable copy-paste and spell checks | ||
| # DISABLE: COPYPASTE,SPELL | ||
|
|
There was a problem hiding this comment.
| # Uncomment to disable copy-paste and spell checks | |
| # DISABLE: COPYPASTE,SPELL |
To match mega-linter-runner/generators/mega-linter/templates/mega-linter.yml
The other file doesn't have these 3 lines. to discuss
| # By default, Megalinter runs whenever a Pull Request is opened with the default | ||
| # branch, or on any push. | ||
| # | ||
| # Later logic enforces a full code-wide test on only the `production` and | ||
| # `staging` Branches. The default Branch only has changed files linted for | ||
| # efficiency. | ||
| # |
There was a problem hiding this comment.
This is different from the template. The template has:
##
# This `env` section can be entirely removed or commented out if you do not wish
# for fixes to be applied during the MegaLinter run.
#
# More info at:
# https://docs.github.com/en/actions/learn-github-actions/contexts#env-context
I had something like this originally, but read that default branch is not available in the |
Oh, let me continue testing it myself in my fork, since some older stackoverflow posts are outdated, since has made some updates over time, ie it wasn't available for scheduled events, but it is now. |
|
/build
|
| @@ -118,13 +118,15 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l | |||
| - Fixes | |||
| - build.py: Remove exclusivity between pip, gem & cargo packages | |||
| - Salesforce linters: Switch sfdx-cli to @salesforce/cli | |||
| - Set default permissions to all workflows to `read-all` to increase security and prevent Checkov `CKV2_GHA_1` errors, by @andrewvaughan in [#3032](https://github.com/oxsecurity/megalinter/pull/3032) | |||
There was a problem hiding this comment.
Should move back to next version
| - Fixed issue with `actionlint` throwing an error on `if` statements in the generated workflow file | ||
| - Added default `.devskim.json` to mitigate errors introduced when no config exists | ||
|
|
||
| - Doc | ||
| - Display list of articles from newest to oldest | ||
| - Fix incorrect environment variable in djlint docs | ||
| - Improve lychee documentation to add an example of `.lycheeignore` | ||
| - Improved commenting in `.mega-linter.yml` file to help new users configure the GitHub workflow more effectively |
There was a problem hiding this comment.
Should move to next version
| @@ -113,61 +258,91 @@ jobs: | |||
| megalinter-reports | |||
| mega-linter.log | |||
|
|
|||
| # Set APPLY_FIXES_IF var for use in future steps | |||
There was a problem hiding this comment.
Please freshen this PR from main, so we don't undo #2957 's changes.
| - name: Create Pull Request with applied fixes | ||
| uses: peter-evans/create-pull-request@v5 | ||
| id: cpr | ||
| if: env.APPLY_FIXES_IF_PR == 'true' |
| with: | ||
| token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} | ||
| commit-message: "[MegaLinter] Apply linters automatic fixes" | ||
| title: "[MegaLinter] Apply linters automatic fixes" | ||
| labels: bot | ||
|
|
||
| - name: Create PR output | ||
| if: env.APPLY_FIXES_IF_PR == 'true' |
| - name: Prepare commit | ||
| if: env.APPLY_FIXES_IF_COMMIT == 'true' |
| run: sudo chown -Rc $UID .git/ | ||
|
|
||
| - name: Commit and push applied linter fixes | ||
| uses: stefanzweifel/git-auto-commit-action@v5 |
There was a problem hiding this comment.
Please freshen from main, as the action's version is being downgraded from v5 to v4.
| @@ -113,61 +265,91 @@ jobs: | |||
| megalinter-reports | |||
| mega-linter.log | |||
|
|
|||
| # Set APPLY_FIXES_IF var for use in future steps | |||
| run: sudo chown -Rc $UID .git/ | ||
|
|
||
| - name: Commit and push applied linter fixes | ||
| uses: stefanzweifel/git-auto-commit-action@v5 |
There was a problem hiding this comment.
Please freshen from main per s/v5/v4/
| @@ -34,7 +34,7 @@ FROM yoheimuta/protolint:latest as protolint | |||
| FROM golang:alpine as dustilock | |||
| RUN GOBIN=/usr/bin go install github.com/checkmarx/[email protected] | |||
|
|
|||
| FROM zricethezav/gitleaks:v8.18.1 as gitleaks | |||
There was a problem hiding this comment.
Please freshen from main per s/1/0/
| @@ -108,61 +264,87 @@ jobs: | |||
| megalinter-reports | |||
| mega-linter.log | |||
|
|
|||
| # Set APPLY_FIXES_IF var for use in future steps | |||
There was a problem hiding this comment.
Freshen this PR from main to avoid undoing #2957
|
After #3143, I think we're finally ready to tackle this, as the last release is now done, and the needed fixes to main (and the docs) will be finished. |
|
@echoix you can merge this one once you are confident of its content :) (looks promising but you investigated it more than i did ^^ ) |
|
It will need a little manual work of fixing conflicts, and it seems a bad merge (or outdated starting point) reverted some changes of a previous PR. As the potential breaking changes would be limited to new users generating a new workflow, I don't think it's really a problem, since there was nothing to break to begin with. If users would want to recreate their workflow by trying again and incorporating their changes back, it's ok, and that's how I expect a template generator to work. |
|
And a title that better describes what that PR ended up being :) |
|
Any update on this fix ? |
Fixes #3026
Proposed Changes
Adds
permissions: read-allto resolve Issue Reduce generated permissions toread-allat top level for generated workflow file #3026Resolves a logical error I found in some of the
.mega-linter.ymlfilesSpecifically, this:
This is intended to match both
refs/heads/mainandrefs/heads/masteras a shorthand for an or-statement, but it will also match branches likerefs/head/main-stagingorrefs/head/masterfoobarwhich isn't intended. I've reverted these to a proper, explicit or statement..mega-linter.ymlfilesI have improved commenting within the configuration files to provide new users better resources
and information on what the files are for.
I've separated item 1 above from the rest into two commits, that way if the other changes are not of interest, we can just commit the
permissionschanges from issue #3026.Readiness Checklist
Author/Contributor
Reviewing Maintainer
breakingif this is a large fundamental changeautomation,bug,documentation,enhancement,infrastructure, orperformance