Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: setup orchestrion integration tests #2785

Merged
merged 6 commits into from
Aug 6, 2024
Merged

Conversation

eliottness
Copy link
Contributor

What does this PR do?

Motivation

Reviewer's Checklist

  • Changed code has unit tests for its functionality at or near 100% coverage.
  • System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
  • There is a benchmark for any new code, or changes to existing code.
  • If this interacts with the agent in a new way, a system test has been added.
  • Add an appropriate team label so this PR gets put in the right place for the release notes.
  • Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild.

Unsure? Have a question? Request a review!

jobs:
test:
name: 'Run Tests'
uses: DataDog/orchestrion/.github/workflows/integration-tests.yml@eliott.bouhana/smoke-tests

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Static Analysis Violation (sit-ci-best-practices/unpinned-github-actions)

🟠 Warning - Security - View in Datadog

Workflow depends on a GitHub actions pinned by tag (read more)

Pin third party actions by hash, or at least by tag for trusted sources

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a git ref (a branch name, a git tag, or a commit hash).

No pinned git ref means the action will use the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

Leave feedback in #static-analysis

.github/workflows/orchestrion.yml Show resolved Hide resolved
.github/workflows/orchestrion.yml Show resolved Hide resolved
.github/workflows/orchestrion.yml Show resolved Hide resolved
.github/workflows/orchestrion.yml Show resolved Hide resolved
@pr-commenter
Copy link

pr-commenter bot commented Jul 11, 2024

Benchmarks

Benchmark execution time: 2024-08-06 12:20:27

Comparing candidate commit 5cf8d73 in PR branch eliott.bouhana/smoke-tests with baseline commit 908da63 in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 59 metrics, 0 unstable metrics.

@eliottness eliottness force-pushed the eliott.bouhana/smoke-tests branch from e725c8c to 53692d2 Compare July 11, 2024 14:48
.github/workflows/orchestrion.yml Outdated Show resolved Hide resolved
.github/workflows/orchestrion.yml Outdated Show resolved Hide resolved
contrib/gin-gonic/gin/gintrace.go Outdated Show resolved Hide resolved
@eliottness eliottness force-pushed the eliott.bouhana/smoke-tests branch from 33e647a to 32af1ce Compare August 5, 2024 12:33
jobs:
test:
name: 'Run Tests'
uses: DataDog/orchestrion/.github/workflows/workflow_call.yml@eliott.bouhana/smoke-tests

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

Pin third party actions by hash, or at least by tag for trusted sources

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a git ref (a branch name, a git tag, or a commit hash).

No pinned git ref means the action will use the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

View in Datadog  Leave us feedback  Documentation

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will fix this once DataDog/orchestrion#158 is merged

@eliottness eliottness marked this pull request as ready for review August 5, 2024 13:49
@eliottness eliottness requested a review from a team as a code owner August 5, 2024 13:49
@eliottness eliottness requested a review from RomainMuller August 5, 2024 13:49
Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
@eliottness eliottness force-pushed the eliott.bouhana/smoke-tests branch from 0d07377 to 5cf8d73 Compare August 6, 2024 11:50
@eliottness eliottness enabled auto-merge (squash) August 6, 2024 11:50
auto-merge was automatically disabled August 6, 2024 11:53

Pull Request is not mergeable

@eliottness eliottness merged commit 6674e13 into main Aug 6, 2024
164 checks passed
@eliottness eliottness deleted the eliott.bouhana/smoke-tests branch August 6, 2024 13:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants