From 63e021d25437359091fdc0c6ea0659f6cdaf6873 Mon Sep 17 00:00:00 2001 From: ohemorange Date: Fri, 1 May 2026 14:29:51 -0700 Subject: [PATCH 1/3] Apply suggestions from code review Co-authored-by: Brad Warren --- .github/workflows/docker_packaging_jobs.yml | 5 +---- .github/workflows/snap_packaging_jobs.yml | 6 +++--- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docker_packaging_jobs.yml b/.github/workflows/docker_packaging_jobs.yml index 55a1962e1..44ac5e6b3 100644 --- a/.github/workflows/docker_packaging_jobs.yml +++ b/.github/workflows/docker_packaging_jobs.yml @@ -3,7 +3,7 @@ on: workflow_call: inputs: dockerTag: - description: 'docker tag to push to' + description: 'tag to assign docker images' type: string permissions: contents: read @@ -16,9 +16,6 @@ jobs: name: Build ${{ matrix.DOCKER_ARCH }} runs-on: - ${{ matrix.run-on }} - # The default timeout of 60 minutes is a little low for compiling - # cryptography on ARM architectures. - timeout-minutes: 180 strategy: fail-fast: false matrix: diff --git a/.github/workflows/snap_packaging_jobs.yml b/.github/workflows/snap_packaging_jobs.yml index 523cba884..49152e3d0 100644 --- a/.github/workflows/snap_packaging_jobs.yml +++ b/.github/workflows/snap_packaging_jobs.yml @@ -3,7 +3,7 @@ on: workflow_call: inputs: snapBuildTimeout: - description: 'timeout for snap builds' + description: 'timeout for snap builds in seconds' type: number permissions: contents: read @@ -98,8 +98,8 @@ jobs: env: LAUNCHPAD_CREDS: "${{ secrets.LAUNCHPAD_CREDENTIALS }}" run: |- - git config --global user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" - git config --global user.name "${{ github.actor }}" + git config --global user.email "github-actions[bot]" + git config --global user.name ""41898282+github-actions[bot]@users.noreply.github.com" mkdir -p ~/.local/share/snapcraft/ echo "$LAUNCHPAD_CREDS" > ~/.local/share/snapcraft/launchpad-credentials python3 tools/snap/build_remote.py ALL --archs "$SNAP_ARCH" --timeout ${{ env.snapBuildTimeout }} From 245234f6846f90922ee92c026e66a5df58ca2b0b Mon Sep 17 00:00:00 2001 From: Erica Portnoy Date: Fri, 1 May 2026 14:45:36 -0700 Subject: [PATCH 2/3] address zizmor errors --- .github/workflows/docker_packaging_jobs.yml | 8 ++++--- .github/workflows/extended_tests_jobs.yml | 12 +++++++++- .github/workflows/full_test_suite.yml | 10 +++++---- .github/workflows/snap_packaging_jobs.yml | 25 +++++++++++++++++---- .github/workflows/tox_steps.yml | 8 +++++++ 5 files changed, 51 insertions(+), 12 deletions(-) diff --git a/.github/workflows/docker_packaging_jobs.yml b/.github/workflows/docker_packaging_jobs.yml index 44ac5e6b3..55b089ef0 100644 --- a/.github/workflows/docker_packaging_jobs.yml +++ b/.github/workflows/docker_packaging_jobs.yml @@ -9,7 +9,7 @@ permissions: contents: read env: - dockerTag: ${{ inputs.dockerTag }} + DOCKER_TAG: ${{ inputs.dockerTag }} jobs: docker_build: @@ -34,7 +34,7 @@ jobs: - name: Build the Docker images # We don't filter for the Docker Hub organization to continue to allow # easy testing of these scripts on forks. - run: tools/docker/build.sh ${{ env.dockerTag }} ${{ matrix.DOCKER_ARCH }} + run: tools/docker/build.sh "$DOCKER_TAG" ${{ matrix.DOCKER_ARCH }} shell: bash - name: Save the Docker images run: |- @@ -70,6 +70,8 @@ jobs: steps: - name: checkout uses: actions/checkout@v6.0.2 + with: + persist-credentials: false - name: Retrieve Docker images uses: actions/download-artifact@v8.0.1 with: @@ -79,5 +81,5 @@ jobs: run: docker load --input ${{ github.workspace }}/images.tar shell: bash - name: Run integration tests for Docker images - run: tools/docker/test.sh ${{ env.dockerTag }} ${{ matrix.DOCKER_ARCH }} + run: tools/docker/test.sh "$DOCKER_TAG" ${{ matrix.DOCKER_ARCH }} shell: bash diff --git a/.github/workflows/extended_tests_jobs.yml b/.github/workflows/extended_tests_jobs.yml index 6c1ab0cea..cbe364f7b 100644 --- a/.github/workflows/extended_tests_jobs.yml +++ b/.github/workflows/extended_tests_jobs.yml @@ -1,6 +1,13 @@ name: Extended tests jobs on: workflow_call: + secrets: + AWS_TEST_FARM_PEM: + required: false + AWS_ACCESS_KEY_ID: + required: false + AWS_SECRET_ACCESS_KEY: + required: false permissions: contents: read @@ -45,4 +52,7 @@ jobs: PYTHON_VERSION: "${{ matrix.PYTHON_VERSION }}" TOXENV: "${{ matrix.TOXENV }}" IMAGE_NAME: ubuntu-22.04 - secrets: inherit + secrets: + AWS_TEST_FARM_PEM: "${{ secrets.AWS_TEST_FARM_PEM }}" + AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}" + AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}" diff --git a/.github/workflows/full_test_suite.yml b/.github/workflows/full_test_suite.yml index 1c58d31bb..a2e35d173 100644 --- a/.github/workflows/full_test_suite.yml +++ b/.github/workflows/full_test_suite.yml @@ -19,7 +19,10 @@ jobs: extended_tests_jobs: name: Extended tests uses: "./.github/workflows/extended_tests_jobs.yml" - secrets: inherit + secrets: + AWS_TEST_FARM_PEM: "${{ secrets.AWS_TEST_FARM_PEM }}" + AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}" + AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}" docker_packaging_jobs: name: Docker packaging uses: "./.github/workflows/docker_packaging_jobs.yml" @@ -27,11 +30,10 @@ jobs: # We don't publish our Docker images in this pipeline, but when building them # for testing, let's use the nightly tag. dockerTag: nightly - secrets: inherit snap_packaging_jobs: name: Snap packaging uses: "./.github/workflows/snap_packaging_jobs.yml" with: snapBuildTimeout: 5400 - secrets: inherit - + secrets: + LAUNCHPAD_CREDENTIALS: "${{ secrets.LAUNCHPAD_CREDENTIALS }}" diff --git a/.github/workflows/snap_packaging_jobs.yml b/.github/workflows/snap_packaging_jobs.yml index 49152e3d0..da83d97d9 100644 --- a/.github/workflows/snap_packaging_jobs.yml +++ b/.github/workflows/snap_packaging_jobs.yml @@ -5,11 +5,15 @@ on: snapBuildTimeout: description: 'timeout for snap builds in seconds' type: number + secrets: + LAUNCHPAD_CREDENTIALS: + required: true + permissions: contents: read env: - snapBuildTimeout: ${{ inputs.snapBuildTimeout }} + SNAP_BUILD_TIMEOUT: ${{ inputs.snapBuildTimeout }} jobs: gha_build_snap: @@ -24,7 +28,10 @@ jobs: - build-for: amd64 build-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6.0.2 + - name: checkout + uses: actions/checkout@v6.0.2 + with: + persist-credentials: false - uses: snapcore/action-build@v1.3.0 id: build with: @@ -42,6 +49,8 @@ jobs: steps: - name: checkout uses: actions/checkout@v6.0.2 + with: + persist-credentials: false - id: set-dns-dirs run: | DNS_NAMES="$(echo certbot-dns-* | jq -R -s -c 'split(" ")[:-1]')" @@ -61,7 +70,10 @@ jobs: - build-for: amd64 build-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6.0.2 + - name: checkout + uses: actions/checkout@v6.0.2 + with: + persist-credentials: false - name: generate dns snapcraft.yamls run: | tools/snap/generate_dnsplugins_all.sh # unnecessarily doing every file @@ -86,6 +98,7 @@ jobs: uses: actions/checkout@v6.0.2 with: fetch-depth: 0 # need a non-shallow clone for launchpad + persist-credentials: false - name: Install dependencies run: |- sudo apt-get update @@ -102,7 +115,7 @@ jobs: git config --global user.name ""41898282+github-actions[bot]@users.noreply.github.com" mkdir -p ~/.local/share/snapcraft/ echo "$LAUNCHPAD_CREDS" > ~/.local/share/snapcraft/launchpad-credentials - python3 tools/snap/build_remote.py ALL --archs "$SNAP_ARCH" --timeout ${{ env.snapBuildTimeout }} + python3 tools/snap/build_remote.py ALL --archs "$SNAP_ARCH" --timeout "$SNAP_BUILD_TIMEOUT" - name: Flatten snaps layout run: |- mv *.snap ${{ runner.temp }} @@ -132,6 +145,8 @@ jobs: steps: - name: checkout uses: actions/checkout@v6.0.2 + with: + persist-credentials: false - uses: actions/setup-python@v5.0.0 with: python-version: '3.12' @@ -191,6 +206,8 @@ jobs: steps: - name: checkout uses: actions/checkout@v6.0.2 + with: + persist-credentials: false - name: Install armhf dependencies if: ${{ matrix.arch-name == 'armhf' }} run: |- diff --git a/.github/workflows/tox_steps.yml b/.github/workflows/tox_steps.yml index de5d1d225..529f00f01 100644 --- a/.github/workflows/tox_steps.yml +++ b/.github/workflows/tox_steps.yml @@ -10,6 +10,14 @@ on: type: string PIP_USE_PEP517: type: string + secrets: + AWS_TEST_FARM_PEM: + required: false + AWS_ACCESS_KEY_ID: + required: false + AWS_SECRET_ACCESS_KEY: + required: false + permissions: contents: read From 9da1879097c3c6d10906d323fa7e2d86c5f7938d Mon Sep 17 00:00:00 2001 From: ohemorange Date: Fri, 1 May 2026 14:57:45 -0700 Subject: [PATCH 3/3] Only upload built packages to github actions artifacts, not the whole runner temp dir Co-authored-by: Brad Warren --- .github/workflows/docker_packaging_jobs.yml | 5 +---- .github/workflows/snap_packaging_jobs.yml | 2 +- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docker_packaging_jobs.yml b/.github/workflows/docker_packaging_jobs.yml index 55b089ef0..a2878097b 100644 --- a/.github/workflows/docker_packaging_jobs.yml +++ b/.github/workflows/docker_packaging_jobs.yml @@ -43,14 +43,11 @@ jobs: shell: bash # If the name of the tar file or artifact changes, the deploy stage will # also need to be updated. - - name: Prepare Docker artifact - run: mv images.tar ${{ runner.temp }} - shell: bash - name: Store Docker artifact uses: actions/upload-artifact@v7.0.0 with: name: docker_${{ matrix.DOCKER_ARCH }} - path: "${{ runner.temp }}" + path: "${{ github.workspace }}/images.tar" docker_test: name: Test ${{ matrix.DOCKER_ARCH }} needs: diff --git a/.github/workflows/snap_packaging_jobs.yml b/.github/workflows/snap_packaging_jobs.yml index da83d97d9..b72f5a6cf 100644 --- a/.github/workflows/snap_packaging_jobs.yml +++ b/.github/workflows/snap_packaging_jobs.yml @@ -124,7 +124,7 @@ jobs: uses: actions/upload-artifact@v7.0.0 with: name: snaps_${{ env.SNAP_ARCH }} - path: "${{ runner.temp }}" + path: "${{ runner.temp }}/*.snap" snap_run: name: Test certbot ${{ matrix.arch-name }} needs: