From d39b4232b02261e85377ef8e8966c4f989e2f47a Mon Sep 17 00:00:00 2001 From: David Bickford Date: Tue, 31 Mar 2026 11:41:34 -0400 Subject: [PATCH 1/3] Add if:always to artifact uploads, fix cache restore-keys, fix test workflow --- .github/workflows/test.yml | 2 +- ruby/deps/action.yml | 2 +- ruby/lint/action.yml | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index bb7e052..ea8aff5 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -28,4 +28,4 @@ jobs: - uses: actions/checkout@v6 - uses: ./ with: - milliseconds: 1000 + job_status: ${{ job.status }} diff --git a/ruby/deps/action.yml b/ruby/deps/action.yml index 8e90f35..72913a0 100644 --- a/ruby/deps/action.yml +++ b/ruby/deps/action.yml @@ -15,7 +15,7 @@ runs: with: path: vendor/bundle key: rails-${{ hashFiles('Gemfile.lock') }} - restore-keys: rails-${{ hashFiles('Gemfile.lock') }} + restore-keys: rails- - name: Bundle install if: steps.bundle-cache.outputs.cache-hit != 'true' shell: bash diff --git a/ruby/lint/action.yml b/ruby/lint/action.yml index be3966f..366d901 100644 --- a/ruby/lint/action.yml +++ b/ruby/lint/action.yml @@ -18,6 +18,7 @@ runs: env: BUNDLE_DEPLOYMENT: true - name: 'Upload rubocop results' + if: always() uses: actions/upload-artifact@v6 with: name: "${{ github.sha }}-lint-results.out" From 65476ea68c7457ff9e790c3776e34da3f48d2046 Mon Sep 17 00:00:00 2001 From: David Bickford Date: Tue, 31 Mar 2026 13:22:20 -0400 Subject: [PATCH 2/3] Replace eval with bash array in EKS deploy step --- deploy/eks/action.yml | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/deploy/eks/action.yml b/deploy/eks/action.yml index 3893fbb..fc5d058 100644 --- a/deploy/eks/action.yml +++ b/deploy/eks/action.yml @@ -45,8 +45,12 @@ runs: uses: wishabi/github-actions/common/branch-info@v0 - name: Validate AWS credentials input shell: bash + env: + AWS_ROLE_ARN_INPUT: ${{ inputs.AWS_ROLE_ARN }} + AWS_ACCESS_KEY_ID_INPUT: ${{ inputs.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY_INPUT: ${{ inputs.AWS_SECRET_ACCESS_KEY }} run: | - if [ -z "${{ inputs.AWS_ROLE_ARN }}" ] && { [ -z "${{ inputs.AWS_ACCESS_KEY_ID }}" ] || [ -z "${{ inputs.AWS_SECRET_ACCESS_KEY }}" ]; }; then + if [ -z "$AWS_ROLE_ARN_INPUT" ] && { [ -z "$AWS_ACCESS_KEY_ID_INPUT" ] || [ -z "$AWS_SECRET_ACCESS_KEY_INPUT" ]; }; then echo "::error::Either AWS_ROLE_ARN (IAM auth) or both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (static auth) must be provided." exit 1 fi @@ -67,26 +71,31 @@ runs: - name: Cleaning workspace if: ${{ inputs.CLEAN_WORKSPACE == 'true' }} shell: bash - run: shopt -s dotglob && rm -rf "${{ github.workspace }}"/* + run: shopt -s dotglob && rm -rf "$GITHUB_WORKSPACE"/* - name: Restoring workspace from cache uses: wishabi/github-actions/cache@v0 - name: Deploying to EKS via Helm release shell: bash + env: + DEPLOY_ENV: ${{ inputs.ENV }} + DEPLOY_TIMEOUT: ${{ inputs.TIMEOUT }} + DEPLOY_ATOMIC: ${{ inputs.ATOMIC }} run: | - cmd="chmod +x ./deploy/build.sh && ./deploy/build.sh service deploy_eks --env=${{ inputs.ENV }}" + chmod +x ./deploy/build.sh + cmd=(./deploy/build.sh service deploy_eks --env="$DEPLOY_ENV") # Check if TIMEOUT is set and provide it as a flag - if [ -n "${{ inputs.TIMEOUT }}" ]; then - cmd="${cmd} --timeout=${{ inputs.TIMEOUT }}" + if [ -n "$DEPLOY_TIMEOUT" ]; then + cmd+=(--timeout="$DEPLOY_TIMEOUT") fi - # Check if ATOMIC is set and provide it as a flag - if [ -n "${{ inputs.ATOMIC }}" ]; then - cmd="${cmd} --atomic=${{ inputs.ATOMIC }}" + # Check if ATOMIC is set and provide it as a flag + if [ -n "$DEPLOY_ATOMIC" ]; then + cmd+=(--atomic="$DEPLOY_ATOMIC") fi # Execute command - eval $cmd + "${cmd[@]}" - name: Notify slack channel on success if: success() && inputs.SLACK_SUCCESS_CHANNEL_ID != '' uses: slackapi/slack-github-action@v1.27.1 From 84edceec338bbe5b5a5c7890bf7ebc449a720deb Mon Sep 17 00:00:00 2001 From: David Bickford Date: Tue, 31 Mar 2026 13:31:23 -0400 Subject: [PATCH 3/3] Move expressions from run blocks to env vars for injection hardening --- .github/workflows/main-version-update.yml | 9 +++++++-- common/branch-info/action.yml | 10 +++++++--- deploy/lambda/go/action.yml | 9 ++++++--- go/configure/action.yml | 4 +++- go/deps/action.yml | 10 ++++++---- go/lint/action.yml | 10 +++++++--- go/smoke-test/action.yml | 4 +++- go/test/action.yml | 8 +++++++- go/test/test.sh | 6 +++--- ruby/test/action.yml | 4 +++- ruby/validation/schema/action.yml | 4 +++- ruby/validation/topic/action.yml | 7 +++++-- 12 files changed, 60 insertions(+), 25 deletions(-) diff --git a/.github/workflows/main-version-update.yml b/.github/workflows/main-version-update.yml index 5cf3699..b2263f2 100644 --- a/.github/workflows/main-version-update.yml +++ b/.github/workflows/main-version-update.yml @@ -25,6 +25,11 @@ jobs: git config user.name flipp-bot git config user.email flipp-bot@flipp.com - name: Tag new target - run: git tag -f ${{ github.event.inputs.major_version }} ${{ github.event.inputs.target }} + env: + MAJOR_VERSION: ${{ github.event.inputs.major_version }} + TARGET_REF: ${{ github.event.inputs.target }} + run: git tag -f "$MAJOR_VERSION" "$TARGET_REF" - name: Push new tag - run: git push origin ${{ github.event.inputs.major_version }} --force + env: + MAJOR_VERSION: ${{ github.event.inputs.major_version }} + run: git push origin "$MAJOR_VERSION" --force diff --git a/common/branch-info/action.yml b/common/branch-info/action.yml index cff7832..9d6e9d2 100644 --- a/common/branch-info/action.yml +++ b/common/branch-info/action.yml @@ -15,11 +15,15 @@ runs: - name: Set branch variable id: set-branch shell: bash + env: + EVENT_NAME: ${{ github.event_name }} + PR_HEAD_REF: ${{ github.event.pull_request.head.ref }} + GIT_REF: ${{ github.ref }} run: | - if [ "${{ github.event_name }}" == "pull_request" ]; then - branch="${{ github.event.pull_request.head.ref }}" + if [ "$EVENT_NAME" == "pull_request" ]; then + branch="$PR_HEAD_REF" else - branch="${{ github.ref }}" + branch="$GIT_REF" branch="${branch#refs/heads/}" fi echo "branch=${branch}" >> $GITHUB_OUTPUT diff --git a/deploy/lambda/go/action.yml b/deploy/lambda/go/action.yml index 8b2364c..6eab4d5 100644 --- a/deploy/lambda/go/action.yml +++ b/deploy/lambda/go/action.yml @@ -16,15 +16,18 @@ runs: - uses: actions/checkout@v6 - name: Cleaning workspace shell: bash - run: shopt -s dotglob && rm -rf "${{ github.workspace }}"/* + run: shopt -s dotglob && rm -rf "$GITHUB_WORKSPACE"/* - name: Restoring workspace from cache uses: wishabi/github-actions/cache@v0 - name: Building lambda function for deployment shell: bash + env: + LAMBDA_DIR: ${{ inputs.LAMBDA_FUNCTION_DIRECTORY }} run: | - go build -o ${{ inputs.LAMBDA_FUNCTION_DIRECTORY }}/main ${{ inputs.LAMBDA_FUNCTION_DIRECTORY }}/main.go + go build -o "$LAMBDA_DIR/main" "$LAMBDA_DIR/main.go" - name: Deploying to Lambda shell: bash + env: + DEPLOY_ENV: ${{ inputs.ENV }} run: | - export DEPLOY_ENV=${{ inputs.ENV }} chmod +x ./deploy/build.sh && ./deploy/build.sh service diff --git a/go/configure/action.yml b/go/configure/action.yml index 0c8594e..65f6e57 100644 --- a/go/configure/action.yml +++ b/go/configure/action.yml @@ -25,7 +25,9 @@ runs: fetch-depth: ${{ inputs.FETCH_DEPTH }} - name: Setting up private modules access shell: bash - run: git config --global url."https://${{ inputs.FLIPPCIRCLECIPULLER_REPO_TOKEN }}:x-oauth-basic@github.com/wishabi".insteadOf "https://github.com/wishabi" + env: + REPO_TOKEN: ${{ inputs.FLIPPCIRCLECIPULLER_REPO_TOKEN }} + run: git config --global url."https://$REPO_TOKEN:x-oauth-basic@github.com/wishabi".insteadOf "https://github.com/wishabi" - name: Grab buf version if: ${{ hashFiles('.tool-versions') != '' }} run: | diff --git a/go/deps/action.yml b/go/deps/action.yml index c37d2ea..d1da375 100644 --- a/go/deps/action.yml +++ b/go/deps/action.yml @@ -27,7 +27,7 @@ runs: with: path: vendor key: vendor-cache-${{ hashFiles('go.mod','go.sum') }} - restore-keys: vendor-cache-${{ hashFiles('go.mod','go.sum') }} + restore-keys: vendor-cache- - name: Generating protobuf code if: ${{ hashFiles('buf.gen.yaml') != '' }} run: buf generate @@ -47,7 +47,7 @@ runs: eval "$CODE_GEN_COMMANDS" env: CODE_GEN_COMMANDS: ${{ inputs.CODE_GEN_COMMANDS }} - - name: Setting up private modules access + - name: Tidy and vendor modules if: steps.vendor-cache.outputs.cache-hit != 'true' shell: bash run: | @@ -60,13 +60,15 @@ runs: run: go generate ./... shell: bash - name: Grab mockery version + env: + MOCKERY_VERSION: ${{ inputs.MOCKERY_INSTALL_VERSION }} run: | # Default to empty version and v1 config MOCKERY_INSTALL_VERSION="" # Check for MOCKERY_INSTALL_VERSION input - if [ -n "${{ inputs.MOCKERY_INSTALL_VERSION }}" ]; then - MOCKERY_INSTALL_VERSION="${{ inputs.MOCKERY_INSTALL_VERSION }}" + if [ -n "$MOCKERY_VERSION" ]; then + MOCKERY_INSTALL_VERSION="$MOCKERY_VERSION" echo "Using MOCKERY_INSTALL_VERSION=${MOCKERY_INSTALL_VERSION} from input" fi diff --git a/go/lint/action.yml b/go/lint/action.yml index 2b3aac6..d635c48 100644 --- a/go/lint/action.yml +++ b/go/lint/action.yml @@ -45,16 +45,20 @@ runs: FLIPPCIRCLECIPULLER_REPO_TOKEN: ${{ inputs.FLIPPCIRCLECIPULLER_REPO_TOKEN }} - name: Setup safe directory shell: bash - run: git config --global --add safe.directory ${{ inputs.WORKSPACE || github.workspace }} + env: + LINT_WORKSPACE: ${{ inputs.WORKSPACE || github.workspace }} + run: git config --global --add safe.directory "$LINT_WORKSPACE" - name: Determine golangci-lint and config version + env: + LINT_VERSION: ${{ inputs.GOLANG_CI_LINT_VERSION }} run: | # Default to empty version and v1 config GOLANGCI_LINT_VERSION="" IS_V2=false # Check for GOLANG_CI_LINT_VERSION input - if [ -n "${{ inputs.GOLANG_CI_LINT_VERSION }}" ]; then - GOLANGCI_LINT_VERSION="${{ inputs.GOLANG_CI_LINT_VERSION }}" + if [ -n "$LINT_VERSION" ]; then + GOLANGCI_LINT_VERSION="$LINT_VERSION" echo "Using GOLANG_CI_LINT_VERSION=${GOLANGCI_LINT_VERSION} from input" fi diff --git a/go/smoke-test/action.yml b/go/smoke-test/action.yml index 9be047b..b6cdd25 100644 --- a/go/smoke-test/action.yml +++ b/go/smoke-test/action.yml @@ -69,9 +69,11 @@ runs: fi - name: Rollback on failure if: failure() && inputs.ROLLBACK_ON_FAIL == 'true' + env: + DEPLOY_ENV: ${{ inputs.ENV }} run: | echo "WARNING: Rolling back service" - chmod +x ./deploy/build.sh && ./deploy/build.sh service rollback --env=${{ inputs.ENV }} + chmod +x ./deploy/build.sh && ./deploy/build.sh service rollback --env="$DEPLOY_ENV" shell: bash - name: Notify slack channel on failure if: failure() && inputs.SLACK_CHANNEL_ID != '' diff --git a/go/test/action.yml b/go/test/action.yml index d076c06..4ca10f7 100644 --- a/go/test/action.yml +++ b/go/test/action.yml @@ -23,7 +23,11 @@ runs: steps: - name: Running go tests shell: bash - run: ${GITHUB_ACTION_PATH}/test.sh "${{ inputs.TAGS }}" "${{ inputs.TIMEOUT }}" "${{ inputs.PARALLEL }}" + env: + TEST_TAGS: ${{ inputs.TAGS }} + TEST_TIMEOUT: ${{ inputs.TIMEOUT }} + TEST_PARALLEL: ${{ inputs.PARALLEL }} + run: ${GITHUB_ACTION_PATH}/test.sh - name: Write test summary if: always() shell: bash @@ -51,12 +55,14 @@ runs: echo "> **Warning:** No test report found" >> $GITHUB_STEP_SUMMARY fi - name: Uploading test report + if: always() uses: actions/upload-artifact@v6 with: name: "${{ github.sha }}-test-report.out" path: "./test-report.out" retention-days: ${{ inputs.ARTIFACT_RETENTION_DAYS }} - name: Uploading coverage report + if: always() uses: actions/upload-artifact@v6 with: name: "${{ github.sha }}-coverage.out" diff --git a/go/test/test.sh b/go/test/test.sh index cd0fde1..63e01cd 100755 --- a/go/test/test.sh +++ b/go/test/test.sh @@ -1,9 +1,9 @@ #! /bin/bash set -eu -TAGS=${1:-} -TIMEOUT=${2:-} -PARALLEL=${3:-} +TAGS=${TEST_TAGS:-} +TIMEOUT=${TEST_TIMEOUT:-} +PARALLEL=${TEST_PARALLEL:-true} cmd="go test -v ./... -coverprofile=coverage.out" diff --git a/ruby/test/action.yml b/ruby/test/action.yml index c203010..13f88b6 100644 --- a/ruby/test/action.yml +++ b/ruby/test/action.yml @@ -61,14 +61,16 @@ runs: working-directory: ./coverage shell: bash run: | - sed -i 's@${{ env.ROOT_PATH }}''@/github/workspace/@g' coverage.json + sed -i "s@${ROOT_PATH}@/github/workspace/@g" coverage.json - name: 'Upload coverage' + if: always() uses: actions/upload-artifact@v6 with: name: ${{ github.sha }}-coverage.out path: ./coverage/coverage.json retention-days: ${{ inputs.ARTIFACT_RETENTION_DAYS }} - name: 'Upload test results' + if: always() uses: actions/upload-artifact@v6 with: name: ${{ github.sha }}-test-report.out diff --git a/ruby/validation/schema/action.yml b/ruby/validation/schema/action.yml index 8f21714..fc48d1b 100644 --- a/ruby/validation/schema/action.yml +++ b/ruby/validation/schema/action.yml @@ -22,5 +22,7 @@ runs: BUNDLE_DEPLOYMENT: true - name: Schema validation shell: bash + env: + VALIDATION_ENV: ${{ inputs.ENV }} run: | - chmod +x ./deploy/build.sh && ./deploy/build.sh service schema_validation --env=${{ inputs.ENV }} + chmod +x ./deploy/build.sh && ./deploy/build.sh service schema_validation --env="$VALIDATION_ENV" diff --git a/ruby/validation/topic/action.yml b/ruby/validation/topic/action.yml index 45050d5..068e6b3 100644 --- a/ruby/validation/topic/action.yml +++ b/ruby/validation/topic/action.yml @@ -19,12 +19,15 @@ runs: - name: Topic validation shell: bash run: | - bundle exec rails g flipp_ruby_kafka:topic_config --producer_services=${{ inputs.PRODUCER_SERVICE }} --consumer_services=${{ inputs.CONSUMER_SERVICE }} + bundle exec rails g flipp_ruby_kafka:topic_config --producer_services="$PRODUCER_SERVICE" --consumer_services="$CONSUMER_SERVICE" # check if the circeci user exists and update permission. This is needed for non runner-fleet-v2 jobs if id "3434" >/dev/null 2>&1; then sudo chown circleci:circleci /var/run/docker.sock fi - chmod +x ./deploy/build.sh && ./deploy/build.sh service topic_validation --env=${{ inputs.ENV }} --config-file=./platform.yml --config-file=./topic_validation.yaml + chmod +x ./deploy/build.sh && ./deploy/build.sh service topic_validation --env="$VALIDATION_ENV" --config-file=./platform.yml --config-file=./topic_validation.yaml env: BUNDLE_DEPLOYMENT: true + PRODUCER_SERVICE: ${{ inputs.PRODUCER_SERVICE }} + CONSUMER_SERVICE: ${{ inputs.CONSUMER_SERVICE }} + VALIDATION_ENV: ${{ inputs.ENV }}