Master #20691
Master #20691
Conversation
This workflow generates SLSA provenance files for the project, satisfying level 3 requirements.
This workflow automates the build and test process for a Go project on push and pull request events to the develop branch.
This workflow compiles a Go project using a SLSA3 compliant builder and generates a provenance file.
This workflow runs tests and publishes a Node.js package to GitHub Packages upon release creation.
Refs/heads/develop
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…tion Co-authored-by: JohnDaWalka <201526231+JohnDaWalka@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: JohnDaWalka <201526231+JohnDaWalka@users.noreply.github.com>
Co-authored-by: JohnDaWalka <201526231+JohnDaWalka@users.noreply.github.com>
Co-authored-by: JohnDaWalka <201526231+JohnDaWalka@users.noreply.github.com>
Co-authored-by: JohnDaWalka <201526231+JohnDaWalka@users.noreply.github.com>
product-security-plaid-production
bot
requested review from
FelixFan1992 and
gustavogama-cll
There was a problem hiding this comment.
Pull request overview
This PR introduces several GitHub Actions workflows for CI/CD automation and updates existing deployment management workflows. The changes add support for Go builds, npm package publishing, SLSA provenance generation, and improve the develop branch sync mechanism with validation and force-push capabilities.
Key changes:
- Added new workflows for Go CI/CD, npm publishing to GitHub Packages, and SLSA3-compliant provenance generation
- Enhanced the develop branch sync workflow with branch validation and force-push capability
- Optimized deployment cleanup to run hourly instead of every 10 minutes with improved permissions and concurrency controls
- Added comprehensive setup documentation for the sync workflow
- Improved the delete-deployments action with input validation, better pnpm setup, and GitHub branding corrections
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml |
Added branch validation step and force-push capability; changed from persist-credentials to GITHUB_TOKEN |
.github/workflows/npm-publish-github-packages.yml |
New workflow for publishing npm packages to GitHub Packages on release |
.github/workflows/go.yml |
New workflow for building and testing Go projects on develop branch |
.github/workflows/go-ossf-slsa3-publish.yml |
New workflow for SLSA3-compliant Go binary releases with provenance |
.github/workflows/generator-generic-ossf-slsa3-publish.yml |
New workflow for generating SLSA provenance for generic artifacts |
.github/workflows/delete-deployments.yml |
Reduced cleanup frequency to hourly, added permissions, concurrency controls, and ref parameter |
.github/workflows/SYNC_DEVELOP_SETUP.md |
New documentation guide for setting up the develop sync workflow with PAT token instructions |
.github/actions/delete-deployments/action.yml |
Added input validation, improved pnpm setup via Corepack, fixed GitHub branding, and added environment normalization |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| echo "upstream has develop at $COMMIT_HASH_UPSTREAM. origin has develop at $COMMIT_HASH_ORIGIN. Syncing..." | ||
| git fetch upstream | ||
| git push origin upstream/develop:develop | ||
| git push origin upstream/develop:develop --force |
There was a problem hiding this comment.
Using --force flag on git push is dangerous and can result in data loss. This will forcibly overwrite the develop branch in the origin repository, potentially discarding commits that exist in the fork but not in upstream. Consider using a safer approach like checking if the push can be fast-forwarded first, or at least documenting why force push is necessary.
| git push origin upstream/develop:develop --force | |
| git fetch origin | |
| UPSTREAM_REF="upstream/develop" | |
| ORIGIN_REF="origin/develop" | |
| if git merge-base --is-ancestor "$ORIGIN_REF" "$UPSTREAM_REF"; then | |
| echo "origin/develop is behind or equal to upstream/develop. Performing fast-forward push." | |
| git push origin "$UPSTREAM_REF:develop" | |
| else | |
| echo "origin/develop contains commits not present in upstream/develop. Refusing to overwrite origin with a force push." | |
| echo "Please reconcile the branches manually before re-running this workflow." | |
| exit 1 | |
| fi |
| - name: Set up Go | ||
| uses: actions/setup-go@v4 | ||
| with: | ||
| go-version: '1.20' |
There was a problem hiding this comment.
Go version 1.20 may be outdated depending on the project requirements. Go 1.20 reached end of life in February 2024. Consider using a more recent version like 1.21 or later, or make this configurable if the project has specific version requirements.
| go-version: '1.20' | |
| go-version: '1.21.x' |
| actions: read # To read workflow path. | ||
| uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.4.0 | ||
| with: | ||
| go-version: 1.17 |
There was a problem hiding this comment.
Go version 1.17 is significantly outdated and has been out of support since August 2022. This could introduce security vulnerabilities and prevent the use of modern Go features. Consider updating to a more recent Go version (1.21 or later) that is actively maintained.
| go-version: 1.17 | |
| go-version: '1.21' |
| - name: Run deployment deleter | ||
| shell: bash | ||
| run: pnpm start | ||
| working-directory: "./.github/actions/delete-deployments" | ||
| env: | ||
| NUM_OF_PAGES: ${{ inputs.num-of-pages }} | ||
| STARTING_PAGE: ${{ inputs.starting-page }} | ||
| GITHUB_TOKEN: ${{ inputs.github-token }} | ||
| ENVIRONMENT: ${{ inputs.environment }} | ||
| ENVIRONMENT_NORMALIZED: ${{ env.ENVIRONMENT_NORMALIZED }} | ||
| REF: ${{ inputs.ref }} | ||
| DRY_RUN: ${{ inputs.dry-run }} | ||
| OWNER: ${{ inputs.owner }} | ||
| REPOSITORY: ${{ inputs.repository }} | ||
| working-directory: "./.github/actions/delete-deployments" | ||
| run: pnpm start |
There was a problem hiding this comment.
The working-directory is specified after the run command. According to GitHub Actions syntax, working-directory should be at the same level as 'run' and 'shell', not after it. This ordering could cause confusion or potentially fail depending on the YAML parser.
| build: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 20 | ||
| - run: npm ci | ||
|
|
||
| publish-gpr: | ||
| needs: build |
There was a problem hiding this comment.
The build job runs 'npm ci' but doesn't preserve the installed node_modules for the publish-gpr job that follows. This means publish-gpr will have to reinstall all dependencies again, making the separate build job unnecessary. Either remove the build job entirely and just have the publish-gpr job, or use actions/cache or artifacts to share the node_modules between jobs.
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| - run: npm ci | |
| publish-gpr: | |
| needs: build | |
| publish-gpr: |
| - uses: actions/checkout@v4 | ||
| with: | ||
| persist-credentials: false | ||
| token: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
The workflow uses the default GITHUB_TOKEN instead of requiring a PAT_TOKEN, but the documentation in SYNC_DEVELOP_SETUP.md states that a PAT_TOKEN is required. This creates a mismatch between the code and documentation. Either update the workflow to use secrets.PAT_TOKEN (if elevated permissions are needed for pushing to protected branches), or update the documentation to reflect that GITHUB_TOKEN is sufficient.
| token: ${{ secrets.GITHUB_TOKEN }} | |
| token: ${{ secrets.PAT_TOKEN }} |
| owner: | ||
| required: false | ||
| description: Repository owner (derived automatically) | ||
| default: ${{ github.repository_owner }} |
There was a problem hiding this comment.
The 'owner' input is defined but never used in the script. The OWNER environment variable is set from inputs.owner but it's redundant since github.repository_owner is already available. Consider removing this input if it's not needed, or document its purpose if it serves a specific use case.
|
|
||
| ## Overview | ||
|
|
||
| The `sync-develop-from-smartcontractkit-chainlink.yml` workflow automatically syncs the `develop` branch from the upstream repository (`smartcontractkit/chainlink`) to your fork every 30 minutes. |
There was a problem hiding this comment.
The documentation states that the workflow runs "every 30 minutes", but the actual cron schedule in the workflow file is "0 * * * *" which runs hourly. Update the documentation to reflect the correct hourly schedule.
|
|
||
| ### Step 3: Verify the Setup | ||
|
|
||
| After adding the secret, the workflow will automatically use it on the next scheduled run (every 30 minutes). |
There was a problem hiding this comment.
The documentation states that the workflow runs "every 30 minutes" again in Step 3, but the actual schedule is hourly. Update this reference to match the actual cron schedule.
|
|
||
| jobs: | ||
| # ======================================================================================================================================== | ||
| # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project. |
There was a problem hiding this comment.
Typo in comment - "Prerequesite" should be "Prerequisite".
| # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project. | |
| # Prerequisite: Create a .slsa-goreleaser.yml in the root directory of your project. |
1 participant
Requires
Supports