Manually merge jammy#660
Merged
Merged
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
These specs moved to that pipeline, and the docker image now contains the `light-aws-builder` binary. Also contains: - shellcheck cleanup - removes aws-light-stemcell-builder src
- use prefix, not prefix, and region - out of band: update credhub entry
- rename `<short-name>-builder` => `<short-name>` - simplify ci configure script - relocate pipeline template and vars files to `ci/`
Contributor
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 6
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/go.yml:
- Line 9: The actions/checkout action is currently referenced by version tag
(`@v7`) which uses a mutable reference susceptible to tag tampering. Replace the
`@v7` tag with the full-length commit SHA for the v7.0.0 release (you can find
this on the actions/checkout releases page). Additionally, add the
persist-credentials: false parameter to the checkout action configuration to
prevent credential leakage through workflow artifacts. This combination ensures
the workflow references an immutable commit hash and minimizes security risks
from credential exposure.
In @.github/workflows/ruby.yml:
- Line 8: Replace the actions/checkout@v7 reference with the full commit SHA
(actions/checkout@1d96c772d19495a3b5c516d2bc367d53b965f973) and add a comment
indicating the version for reference. Additionally, add a with block to the
checkout action step that sets persist-credentials to false to prevent the
GITHUB_TOKEN from being stored in Git config, which reduces the risk of
credential exposure in case of job or action compromise.
In `@ci/pipeline-template.yml`:
- Around line 1466-1471: The regexp pattern in the
base-oss-google-ubuntu-stemcell resource uses ubuntu-* which in regex syntax
matches zero or more hyphens rather than acting as a wildcard, preventing it
from matching filenames with OS codenames like ubuntu-noble. Replace the
ubuntu-* portion of the regexp with a proper regex pattern that matches the OS
codename (such as ubuntu-[a-z]+) to correctly match the uploaded artifact
pattern from line 1128, or use the existing template variable pattern pattern
used elsewhere in the file for consistency.
- Around line 1021-1024: The parallel AWS build plan contains an empty do: step
that renders as do: null and violates the Concourse step schema. Remove the
empty - do: line at line 1022 (the line containing just "- do:"). The two
build_light_aws_stemcell_new function calls should remain as direct children of
in_parallel: without being nested inside a do: step, since they are already
properly structured as sibling steps in the parallel execution block.
In `@ci/tasks/light-google/make-raw-from-heavy-stemcell.sh`:
- Line 22: In the conditional statement on line 22 of
make-raw-from-heavy-stemcell.sh, add quotes around the AWS_ACCESS_KEY_ID
variable in the test condition to ensure proper shell quoting. The variable
should be quoted as "$AWS_ACCESS_KEY_ID" within the brackets to maintain
consistency with the strict quoting standards being applied throughout the
hardening effort.
In `@image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4`:
- Line 9: The version element in the ubuntu-jammy.meta4 file is set to 1111.0.0,
which differs significantly from version 142.0.0 used in ubuntu-noble.meta4.
Verify whether the different versions across Ubuntu releases are intentional
based on your release management strategy. If versions should be aligned across
releases, update the version in ubuntu-jammy.meta4 to match ubuntu-noble.meta4
(or vice versa depending on which is correct). If the versions are intentionally
different, document the reason in a comment or commit message to clarify the
versioning scheme for future maintainers.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 69e54a33-a859-4e69-9931-beb121b96af0
📒 Files selected for processing (25)
.github/workflows/go.yml.github/workflows/ruby.ymlREADME.mdci/configure.shci/pipeline-template.ymlci/pipeline-vars.ymlci/pipelines/publisher.ymlci/tasks/light-aws/build.shci/tasks/light-aws/build.ymlci/tasks/light-aws/cleanup-ami.shci/tasks/light-aws/cleanup-ami.ymlci/tasks/light-aws/run-upload-test.shci/tasks/light-aws/run-upload-test.ymlci/tasks/light-aws/test-drivers.shci/tasks/light-aws/test-drivers.ymlci/tasks/light-aws/test-integration.shci/tasks/light-aws/test-integration.ymlci/tasks/light-aws/test-unit.shci/tasks/light-aws/test-unit.ymlci/tasks/light-aws/us-gov-merge-builds.ymlci/tasks/light-google/create-public-image.shci/tasks/light-google/deploy-skeletal.shci/tasks/light-google/make-raw-from-heavy-stemcell.shdocs/new_stemcell_line.mdimage-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
💤 Files with no reviewable changes (9)
- ci/tasks/light-aws/build.yml
- ci/tasks/light-aws/test-integration.yml
- ci/tasks/light-aws/test-unit.sh
- ci/pipelines/publisher.yml
- ci/tasks/light-aws/test-drivers.yml
- ci/tasks/light-aws/test-drivers.sh
- ci/tasks/light-aws/test-unit.yml
- ci/tasks/light-aws/test-integration.sh
- ci/tasks/light-aws/us-gov-merge-builds.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
NOTE: this repository uses a "Merge Forward" strategy
Changes should be made in the earliest applicable branch, and
merged forward through subsequent branches.
ubuntu-<short_name-N>ubuntu-<short_name-N>intoubuntu-<short_name-N+1>