fix(security): fix gh issue #496
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build | |
| on: | |
| pull_request: {} | |
| workflow_dispatch: {} | |
| permissions: | |
| actions: none | |
| attestations: none | |
| checks: none | |
| contents: none | |
| deployments: none | |
| discussions: none | |
| id-token: none | |
| issues: none | |
| models: none | |
| packages: none | |
| pages: none | |
| pull-requests: none | |
| repository-projects: none | |
| security-events: none | |
| statuses: none | |
| jobs: | |
| build: | |
| permissions: | |
| actions: write # upload-artifact when self-mutation is detected | |
| contents: read | |
| # Runner priority: vars.DEFAULT_RUNNER_LABEL > PR label 'self-hosted' > PR label 'ubuntu-latest-4-cores' > 'ubuntu-latest' | |
| runs-on: >- | |
| ${{ | |
| vars.DEFAULT_RUNNER_LABEL | |
| || (github.event_name == 'pull_request' | |
| && contains(github.event.pull_request.labels.*.name, 'self-hosted') | |
| && 'self-hosted') | |
| || (github.event_name == 'pull_request' | |
| && contains(github.event.pull_request.labels.*.name, 'ubuntu-latest-4-cores') | |
| && 'ubuntu-latest-4-cores') | |
| || 'ubuntu-latest' | |
| }} | |
| strategy: | |
| matrix: | |
| compute_type: [agentcore] | |
| outputs: | |
| self_mutation_happened: ${{ steps.self_mutation.outputs.self_mutation_happened }} | |
| env: | |
| CI: "true" | |
| MISE_EXPERIMENTAL: "1" | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| AQUA_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # Keep secret and dependency scanning enabled in CI; only disable the | |
| # remaining tools that are intentionally skipped here. | |
| MISE_DISABLE_TOOLS: "aqua:aquasecurity/trivy,grype,semgrep" | |
| steps: | |
| - name: Free Disk Space | |
| shell: bash | |
| run: | | |
| sudo rm -rf \ | |
| /usr/local/lib/android \ | |
| /usr/share/dotnet \ | |
| /opt/hostedtoolcache || true | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 1 # shallow clone | |
| persist-credentials: false | |
| - name: Resolve github:* tag values | |
| id: tags | |
| env: | |
| EVENT_NAME: ${{ github.event_name }} | |
| GH_SHA: ${{ github.sha }} | |
| GH_REF_NAME: ${{ github.ref_name }} | |
| GH_REF_TYPE: ${{ github.ref_type }} | |
| GH_HEAD_REF: ${{ github.head_ref }} | |
| GH_BASE_REF: ${{ github.base_ref }} | |
| MG_HEAD_SHA: ${{ github.event.merge_group.head_sha }} | |
| MG_BASE_REF: ${{ github.event.merge_group.base_ref }} | |
| MG_HEAD_REF: ${{ github.event.merge_group.head_ref }} | |
| PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| run: | | |
| case "$EVENT_NAME" in | |
| merge_group) | |
| echo "sha=${MG_HEAD_SHA}" >> "$GITHUB_OUTPUT" | |
| echo "ref=${MG_BASE_REF}" >> "$GITHUB_OUTPUT" | |
| echo "ref-type=branch" >> "$GITHUB_OUTPUT" | |
| echo "head-ref=${MG_HEAD_REF}" >> "$GITHUB_OUTPUT" | |
| echo "base-ref=${MG_BASE_REF}" >> "$GITHUB_OUTPUT" | |
| PR_NUM=$(echo "$MG_HEAD_REF" | grep -oP 'pr-\K[0-9]+' || echo "") | |
| echo "pr-number=${PR_NUM}" >> "$GITHUB_OUTPUT" | |
| ;; | |
| pull_request|pull_request_target) | |
| echo "sha=${PR_HEAD_SHA}" >> "$GITHUB_OUTPUT" | |
| echo "ref=${GH_HEAD_REF}" >> "$GITHUB_OUTPUT" | |
| echo "ref-type=branch" >> "$GITHUB_OUTPUT" | |
| echo "head-ref=${GH_HEAD_REF}" >> "$GITHUB_OUTPUT" | |
| echo "base-ref=${GH_BASE_REF}" >> "$GITHUB_OUTPUT" | |
| echo "pr-number=${PR_NUMBER}" >> "$GITHUB_OUTPUT" | |
| ;; | |
| push) | |
| echo "sha=${GH_SHA}" >> "$GITHUB_OUTPUT" | |
| echo "ref=${GH_REF_NAME}" >> "$GITHUB_OUTPUT" | |
| echo "ref-type=${GH_REF_TYPE}" >> "$GITHUB_OUTPUT" | |
| echo "head-ref=" >> "$GITHUB_OUTPUT" | |
| echo "base-ref=" >> "$GITHUB_OUTPUT" | |
| echo "pr-number=" >> "$GITHUB_OUTPUT" | |
| ;; | |
| *) | |
| echo "sha=${GH_SHA}" >> "$GITHUB_OUTPUT" | |
| echo "ref=${GH_REF_NAME}" >> "$GITHUB_OUTPUT" | |
| echo "ref-type=${GH_REF_TYPE}" >> "$GITHUB_OUTPUT" | |
| echo "head-ref=" >> "$GITHUB_OUTPUT" | |
| echo "base-ref=" >> "$GITHUB_OUTPUT" | |
| echo "pr-number=" >> "$GITHUB_OUTPUT" | |
| ;; | |
| esac | |
| - name: Generate CDK context | |
| env: | |
| COMPUTE_TYPE: ${{ matrix.compute_type }} | |
| TAG_SHA: ${{ steps.tags.outputs.sha }} | |
| TAG_REF: ${{ steps.tags.outputs.ref }} | |
| TAG_REF_TYPE: ${{ steps.tags.outputs.ref-type }} | |
| TAG_ACTOR: ${{ github.actor }} | |
| TAG_HEAD_REF: ${{ steps.tags.outputs.head-ref }} | |
| TAG_BASE_REF: ${{ steps.tags.outputs.base-ref }} | |
| TAG_PR_NUMBER: ${{ steps.tags.outputs.pr-number }} | |
| TAG_RUN_ID: ${{ github.run_id }} | |
| TAG_RUN_ATTEMPT: ${{ github.run_attempt }} | |
| TAG_EVENT: ${{ github.event_name }} | |
| TAG_WORKFLOW: ${{ github.workflow }} | |
| TAG_REPOSITORY: ${{ github.repository }} | |
| run: | | |
| jq -n \ | |
| --arg compute_type "$COMPUTE_TYPE" \ | |
| --arg stackName "backgroundagent-dev" \ | |
| --arg sha "$TAG_SHA" \ | |
| --arg ref "$TAG_REF" \ | |
| --arg ref_type "$TAG_REF_TYPE" \ | |
| --arg actor "$TAG_ACTOR" \ | |
| --arg head_ref "$TAG_HEAD_REF" \ | |
| --arg base_ref "$TAG_BASE_REF" \ | |
| --arg pr_number "$TAG_PR_NUMBER" \ | |
| --arg run_id "$TAG_RUN_ID" \ | |
| --arg run_attempt "$TAG_RUN_ATTEMPT" \ | |
| --arg event "$TAG_EVENT" \ | |
| --arg workflow "$TAG_WORKFLOW" \ | |
| --arg repository "$TAG_REPOSITORY" \ | |
| '{ | |
| "compute_type": $compute_type, | |
| "stackName": $stackName, | |
| "github:sha": $sha, | |
| "github:ref": $ref, | |
| "github:ref-type": $ref_type, | |
| "github:actor": $actor, | |
| "github:head-ref": $head_ref, | |
| "github:base-ref": $base_ref, | |
| "github:pr-number": $pr_number, | |
| "github:run-id": $run_id, | |
| "github:run-attempt": $run_attempt, | |
| "github:event": $event, | |
| "github:workflow": $workflow, | |
| "github:repository": $repository, | |
| "github:clean": "true" | |
| }' > cdk/cdk.context.json | |
| cat cdk/cdk.context.json | |
| - name: Install mise | |
| uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 | |
| with: | |
| cache: true | |
| - name: Setup Node.js | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: 22.x | |
| - name: Cache node_modules | |
| id: cache-node-modules | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: node_modules | |
| key: node-modules-${{ runner.os }}-${{ hashFiles('yarn.lock') }} | |
| - name: Cache agent venv | |
| id: cache-agent-venv | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: agent/.venv | |
| key: agent-venv-${{ runner.os }}-${{ hashFiles('agent/uv.lock') }} | |
| - name: Cache Jest transforms | |
| id: cache-jest | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: cdk/.jest-cache | |
| key: jest-${{ runner.os }}-${{ hashFiles('yarn.lock') }}-${{ github.sha }} | |
| restore-keys: | | |
| jest-${{ runner.os }}-${{ hashFiles('yarn.lock') }}- | |
| - name: Cache TypeScript build info | |
| id: cache-tsc | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: | | |
| cdk/tsconfig.tsbuildinfo | |
| cli/tsconfig.tsbuildinfo | |
| key: tsc-${{ runner.os }}-${{ hashFiles('cdk/src/**', 'cdk/tsconfig.json', 'cdk/tsconfig.dev.json', 'cli/src/**', 'cli/tsconfig.json') }} | |
| restore-keys: | | |
| tsc-${{ runner.os }}- | |
| - name: Install dependencies | |
| env: | |
| CACHE_NODE: ${{ steps.cache-node-modules.outputs.cache-hit }} | |
| CACHE_VENV: ${{ steps.cache-agent-venv.outputs.cache-hit }} | |
| CACHE_JEST: ${{ steps.cache-jest.outputs.cache-hit }} | |
| run: | | |
| echo "::group::Cache status" | |
| echo "node_modules: ${CACHE_NODE:-MISS}" | |
| echo "agent .venv: ${CACHE_VENV:-MISS}" | |
| echo "jest transforms: ${CACHE_JEST:-MISS}" | |
| echo "::endgroup::" | |
| SECONDS=0 | |
| mise run install | |
| echo "::notice::Install completed in ${SECONDS}s (node_modules=${CACHE_NODE:-miss}, venv=${CACHE_VENV:-miss}, jest=${CACHE_JEST:-miss})" | |
| - name: build | |
| env: | |
| TMPDIR: ${{ runner.temp }} | |
| run: | | |
| echo "::notice::Runner: $(nproc) cores, $(free -h | awk '/Mem:/{print $2}') RAM" | |
| SECONDS=0 | |
| mise run build | |
| echo "::notice::Build completed in ${SECONDS}s ($(nproc) cores, mise parallel DAG)" | |
| - name: Upload CDK artifact (${{ matrix.compute_type }}) | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: cdk-${{ matrix.compute_type }}-out | |
| path: | | |
| cdk/cdk.out/ | |
| cdk/cdk.context.json | |
| - name: Find mutations | |
| id: self_mutation | |
| run: |- | |
| git add . | |
| git diff --staged --patch --exit-code > repo.patch || echo "self_mutation_happened=true" >> $GITHUB_OUTPUT | |
| shell: bash | |
| working-directory: ./ | |
| - name: Upload patch | |
| if: steps.self_mutation.outputs.self_mutation_happened | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: repo.patch | |
| path: repo.patch | |
| overwrite: true | |
| - name: Fail build on mutation | |
| if: steps.self_mutation.outputs.self_mutation_happened | |
| run: |- | |
| echo "::error::Files were changed during build (see build log). Please run the build locally and commit the changes." | |
| cat repo.patch | |
| exit 1 |