Graal CI workflow #166
Graal CI workflow #166
Conversation
|
🔧 Report generated by pr-comment-scanbuild Scan-Build Report
Bug Summary
Reports
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
r1viollet
force-pushed
the
r1viollet/graal_vm_tests
branch
from
a3039cf to
37feea1
Compare
![datadog-datadog-prod-us1[bot]](https://avatars.githubusercontent.com/u/365230?s=60&v=4){kind=small}
.github/workflows/test_workflow.yml
Outdated
| - name: Setup OS | ||
| run: apk update && apk add curl moreutils wget hexdump linux-headers bash make g++ clang git cppcheck jq cmake gtest-dev gmock tar >/dev/null | ||
| - name: Prepare build JDK | ||
| uses: actions/setup-java@v3 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag (...read more)
When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).
No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.
Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.
Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.
r1viollet
force-pushed
the
r1viollet/graal_vm_tests
branch
from
37feea1 to
7ed8ca2
Compare
r1viollet
force-pushed
the
r1viollet/graal_vm_tests
branch
from
7ed8ca2 to
f180fee
Compare
r1viollet
force-pushed
the
r1viollet/graal_vm_tests
branch
from
ad96f68 to
c2f42dd
Compare
|
What do we want to test via the non-native Graal workflow, at the moment? |
I am not sure how different the distributions would be and how valuable it is to add these workflows. I am adding these to make sure that the basic APIs we rely on are available and that no crashes are detected. If we want to run these at a different frequency, happy to discuss a different proposal. |
|
GraalVM JIT would be good to have at least like a sanity test of the different JIT compiler |
|
Merged: please reach out if you feel like these should be further adjusted. |
What does this PR do?:
This adds a graalVM workflow
Motivation:
Additional Notes:
This does not test the Ahead of Time / Native image workflow.
How to test the change?:
For Datadog employees:
credentials of any kind, I've requested a review from
@DataDog/security-design-and-guidance.Unsure? Have a question? Request a review!