Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Github action fix - Caching #156

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Github action fix - Caching #156

wants to merge 1 commit into from

Conversation

r1viollet
Copy link
Collaborator

Test caching the download of zing

What does this PR do?:

Motivation:

Additional Notes:

How to test the change?:

For Datadog employees:

  • If this PR touches code that signs or publishes builds or packages, or handles
    credentials of any kind, I've requested a review from @DataDog/security-design-and-guidance.
  • This PR doesn't touch any of that.
  • JIRA: [JIRA-XXXX]

Unsure? Have a question? Request a review!

datadog-datadog-prod-us1[bot]
datadog-datadog-prod-us1 bot reviewed Dec 5, 2024
View reviewed changes
.github/workflows/test_workflow.yml Outdated
@@ -559,6 +559,11 @@ jobs:
sudo apt remove -y g++
sudo apt autoremove -y
sudo apt install -y curl zip unzip clang make build-essential
- name: Cache JDK Downloads
uses: actions/cache@v3
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

View in Datadog  Leave us feedback  Documentation

@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 5, 2024
edited
Loading

🔧 Report generated by pr-comment-scanbuild

Scan-Build Report

User:runner@fv-az914-177
Working Directory:/home/runner/work/java-profiler/java-profiler/ddprof-lib/src/test/make
Command Line:make -j4 clean all
Clang Version:Ubuntu clang version 14.0.0-1ubuntu1.1
Date:Fri Dec 6 14:28:30 2024

Bug Summary

Bug TypeQuantityDisplay?
All Bugs6
Logic error
Assigned value is garbage or undefined1
Dereference of null pointer3
Result of operation is garbage or undefined1
Unused code
Dead nested assignment1

Reports

Bug Group Bug Type ▾ File Function/Method Line Path Length
Logic errorAssigned value is garbage or undefineddwarf.cppparseInstructions24420
Unused codeDead nested assignmentvmStructs.cppcheckNativeBinding9451
Logic errorDereference of null pointersafeAccess.hload3318
Logic errorDereference of null pointersymbols_linux.hElfParser12932
Logic errorDereference of null pointerflightRecorder.cppflush15048
Logic errorResult of operation is garbage or undefinedvmStructs.cppfind84016

@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 5, 2024
edited
Loading

🔧 Report generated by pr-comment-cppcheck

CppCheck Report

Warnings (6)

Style Violations (176)

@r1viollet r1viollet force-pushed the r1viollet/optim_ci branch 6 times, most recently from b764e98 to 7a80348 Compare December 6, 2024 14:20
datadog-datadog-prod-us1[bot]
datadog-datadog-prod-us1 bot reviewed Dec 6, 2024
View reviewed changes
.github/workflows/test_workflow.yml
@@ -565,27 +565,35 @@ jobs:
with:
distribution: 'temurin'
java-version: "11"
- name: Cache JDK Downloads
uses: actions/cache@v3
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

View in Datadog  Leave us feedback  Documentation

@r1viollet
Github action fix - Caching
951eabb 
Test caching the download of zing
r1viollet
r1viollet commented Dec 6, 2024
View reviewed changes
.github/workflows/test_workflow.yml
uses: actions/cache@v3
with:
path: /home/runner/jvm
key: ${{ runner.os }}-zing-jdk-${{ matrix.java_version }}-v0
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jbachorik any reason not to add caching to the JDK downloads ?
I would need to adjust this to all the jobs

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caching the jdk binaries would be useful. We would key on the distro/version/arch but that should speed up builds significantly.

@jbachorik
Copy link
Collaborator

It is a dup of #159 and #160 - I think you can safely close it now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@datadog-datadog-prod-us1 datadog-datadog-prod-us1[bot] datadog-datadog-prod-us1[bot] left review comments

@jbachorik jbachorik jbachorik left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@r1viollet @jbachorik