Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci/prevent deploy dryrun dependabot #570

Merged
merged 4 commits into from
Jan 4, 2023
Merged

ci/prevent deploy dryrun dependabot #570

merged 4 commits into from
Jan 4, 2023

Conversation

ashley-evans
Copy link
Owner

@ashley-evans ashley-evans commented Jan 4, 2023
edited
Loading

What

Updated service.yml and ui.yml to only run deployment dry runs on non dependabot builds

  • Dependabot builds only trigger bundle/compile rather than using SAM

Updated all usages of SAM to reinstall cryptography-38.0.4 before running any SAM commands

Why

Dependabot SAM Dry Runs:

  • For the SAM deployment to occur we need to give the runner permission to deploy resources to AWS. This requires giving id-token write permission to dependabot builds which by default is not provided as a malicious dependency could use this permission to perform actions, see here
    • Therefore, removed this step for dependabot to match that default

SAM Crytography:

  • There is a current issue with the setup-sam action, see here

@ashley-evans ashley-evans force-pushed the ci/prevent-deploy-dryrun-dependebot branch from 5d053fb to 24fbfbe Compare January 4, 2023 20:34
@ashley-evans ashley-evans force-pushed the ci/prevent-deploy-dryrun-dependebot branch from 24fbfbe to 554071e Compare January 4, 2023 20:36
@github-actions
Copy link

github-actions bot commented Jan 4, 2023

Proposed Changes to Infastructure

Affected Service

Crawl Service

Changeset

CloudFormation stack changeset
-------------------------------------------------------------------------------------------------
Operation                LogicalResourceId        ResourceType             Replacement
-------------------------------------------------------------------------------------------------
* Modify                 CrawlGraphQLAPIConnect   AWS::Events::Connectio   False
                         ion                      n
* Modify                 CrawlGraphQLAPIDestina   AWS::Events::ApiDestin   False
                         tion                     ation
* Modify                 CrawlGraphQLAPIKey       AWS::AppSync::ApiKey     Conditional
* Modify                 UpdateCrawlStatusEvent   AWS::Events::Rule        False
                         Rule
-------------------------------------------------------------------------------------------------

@ashley-evans
Update service.yml to only run dryrun if not dependabot
4dea94d 
Update service-build to compile only if not dry run
@ashley-evans ashley-evans force-pushed the ci/prevent-deploy-dryrun-dependebot branch 8 times, most recently from c61f5a9 to 78db048 Compare January 4, 2023 21:45
@ashley-evans ashley-evans force-pushed the ci/prevent-deploy-dryrun-dependebot branch from 78db048 to fbfd04d Compare January 4, 2023 21:47
@ashley-evans ashley-evans changed the title WIP: ci/prevent deploy dryrun dependabot ci/prevent deploy dryrun dependabot Jan 4, 2023
@ashley-evans ashley-evans merged commit 0e7aa63 into master Jan 4, 2023
@ashley-evans ashley-evans deleted the ci/prevent-deploy-dryrun-dependebot branch January 4, 2023 22:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ashley-evans