Rehydrate 9.0.0-deprecation branch#2618
Rehydrate 9.0.0-deprecation branch#2618sharvath-newrelic wants to merge 21 commits into9.0.0-deprecationfrom
Conversation
Added a comment to remind updating the instrumentation name in AgentUtil.
Update instrumentation version to logback-classic-1.5.20
Cap spring batch v5 module
Updates for Compatibility Plugin
Update compatibility action with correct task name
Site plugin typo
…920078 Update Internal Compatibility Doc
Cleanup jms-3 module
Move wrapper class out of S3AsyncClient_Instrumentation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Generate Compatibility Files | ||
| runs-on: ubuntu-24.04 | ||
|
|
||
| env: | ||
| INTERNAL_DOC_FILE: build/docs/site/compatibility-requirements-java-agent-internal.md | ||
| PUBLIC_DOC_FILE: build/docs/site/compatibility-requirements-java-agent.mdx | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # pin@v4 | ||
|
|
||
| - name: Setup environment | ||
| uses: ./.github/actions/setup-environment | ||
|
|
||
| - name: Run compatibility plugin | ||
| run: ./gradlew clean generateCompatibilitySite | ||
|
|
||
| - name: Upload internal compatibility doc | ||
| uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 #pin@v4 | ||
| with: | ||
| name: internal-compatibility-doc | ||
| path: ${{ env.INTERNAL_DOC_FILE }} | ||
| retention-days: 1 | ||
|
|
||
| - name: Upload public site compatibility doc | ||
| uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 #pin@v4 | ||
| with: | ||
| name: site-compatibility-doc | ||
| path: ${{ env.PUBLIC_DOC_FILE }} | ||
| retention-days: 1 | ||
|
|
||
| update-internal-compatibility-doc: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix the problem, an explicit permissions block should be added with least-privilege settings for the affected job. In this case, for the generate-files job, only actions like checkout, setup, gradle builds, and artifact upload are performed. These require, at minimum, contents: read to fetch source code. No other scopes are needed (pull-requests, etc.). Thus, edit .github/workflows/Generate-Compatibility-Doc.yml and insert the following block under generate-files: (line 26):
permissions:
contents: readThis ensures that the GITHUB_TOKEN for that job will have only read access to repository contents. No other jobs/steps are affected.
| @@ -24,6 +24,8 @@ | ||
| jobs: | ||
| generate-files: | ||
| name: Generate Compatibility Files | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-24.04 | ||
|
|
||
| env: |
| name: Update Internal Compatibility File | ||
| needs: generate-files | ||
| runs-on: ubuntu-24.04 | ||
| if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.doc_type == 'internal') | ||
|
|
||
| env: | ||
| INTERNAL_FILEPATH: COMPATIBILITY.md | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # pin@v4 | ||
|
|
||
| - name: Download internal doc | ||
| uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # pin@v4 | ||
| with: | ||
| name: internal-compatibility-doc | ||
| path: tmp | ||
|
|
||
| - name: Copy internal doc to destination | ||
| run: cp tmp/compatibility-requirements-java-agent-internal.md ${{ env.INTERNAL_FILEPATH }} | ||
|
|
||
| - name: Create PR for internal doc | ||
| id: create-pr-internal | ||
| uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e | ||
| with: | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
| add-paths: ${{ env.INTERNAL_FILEPATH }} | ||
| commit-message: 'Update internal compatibility doc' | ||
| branch: update-compatibility-doc-${{ github.run_id }} | ||
| delete-branch: true | ||
| base: main | ||
| title: 'Update Internal Compatibility Doc' | ||
| body: | | ||
| This PR updates the internal compatibility documentation. It was triggered manually or by a detected instrumentation build file change. | ||
|
|
||
| - name: Summary | ||
| run: | | ||
| echo "Submitted PR #${{ steps.create-pr-internal.outputs.pull-request-number}} to the New Relic Agent repo." | ||
| echo "Your review is required. See ${{ steps.create-pr-internal.outputs.pull-request-url}}" | ||
|
|
||
| update-site-compatibility-doc: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix the problem, we should explicitly assign the minimal needed permissions for the update-internal-compatibility-doc job (and optionally the other jobs too, but CodeQL flagged line 57 specifically). Since this job needs to create or update pull requests on the repo, it requires contents: write and pull-requests: write permissions at minimum. The most exact fix is to add a permissions block under the update-internal-compatibility-doc job, directly above steps:. This will ensure that the job does not inherit excessive repository or organizational permissions.
No new imports, definitions, or dependencies are needed—just the addition of the permissions YAML key with the minimal permissions necessary.
| @@ -58,6 +58,9 @@ | ||
| needs: generate-files | ||
| runs-on: ubuntu-24.04 | ||
| if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.doc_type == 'internal') | ||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
|
|
||
| env: | ||
| INTERNAL_FILEPATH: COMPATIBILITY.md |
| name: Update Public Site Documentation | ||
| needs: generate-files | ||
| runs-on: ubuntu-24.04 | ||
| if: github.event_name == 'workflow_dispatch' && inputs.doc_type == 'site' | ||
|
|
||
| env: | ||
| EXTERNAL_REPO_NAME: newrelic/docs-website | ||
| DESTINATION_FILEPATH: src/content/docs/apm/agents/java-agent/getting-started/compatibility-requirements-java-agent.mdx | ||
|
|
||
| steps: | ||
| - name: Checkout external docs repo | ||
| uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # pin@v4 | ||
| with: | ||
| repository: ${{ env.EXTERNAL_REPO_NAME }} | ||
| token: ${{ secrets.DOCS_WEBSITE_TOKEN }} | ||
| path: docs-website | ||
|
|
||
| - name: Download site doc | ||
| uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # pin@v4 | ||
| with: | ||
| name: site-compatibility-doc | ||
| path: tmp | ||
|
|
||
| - name: Copy site doc to destination path | ||
| run: cp tmp/compatibility-requirements-java-agent.mdx docs-website/${{ env.DESTINATION_FILEPATH }} | ||
|
|
||
| - name: Create PR for site doc | ||
| id: create-pr-docs-site | ||
| uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e | ||
| with: | ||
| token: ${{ secrets.DOCS_WEBSITE_TOKEN }} | ||
| path: docs-website | ||
| add-paths: ${{ env.DESTINATION_FILEPATH }} | ||
| commit-message: 'Update Java agent compatibility documentation' | ||
| branch: update-java-agent-compatibility-${{ inputs.release_tag }} | ||
| delete-branch: true | ||
| base: develop | ||
| title: '[DO-NOT-MERGE] Update Java Agent Compatibility Requirements' | ||
| body: | | ||
| This is a WIP. | ||
| This PR updates the Java agent compatibility documentation. | ||
|
|
||
| - name: Summary | ||
| run: | | ||
| echo "Submitted PR #${{ steps.create-pr-docs-site.outputs.pull-request-number}} to the docs site repo." | ||
| echo "Your review is required. See ${{ steps.create-pr-docs-site.outputs.pull-request-url}}" | ||
| echo "Once you have reviewed the PR, update its title and description to show it is ready for merge." |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix the problem, the workflow YAML should be edited to include a permissions block with the minimum required access. There are two possible locations: at the workflow root (applies to all jobs) or at the individual job level. Since the CodeQL error highlights the update-site-compatibility-doc job, we'll add the block to that job only unless review identifies that the other jobs need changes as well. The minimum permission typically needed for jobs creating PRs is contents: read and pull-requests: write. However, this particular job uses peter-evans/create-pull-request, which requires permission to write pull-requests to create or update a pull request. It may also possibly require contents: write if pushing new code, but since the PR is being created with an alternate token (via a secret), the GITHUB_TOKEN doesn't need more than read. Granting contents: read is the minimal recommendation.
Therefore, for the update-site-compatibility-doc job in .github/workflows/Generate-Compatibility-Doc.yml, insert:
permissions:
contents: readimmediately after the job name and before needs:. This restricts the GITHUB_TOKEN to its lowest safe privilege, following best practices.
| @@ -95,6 +95,8 @@ | ||
|
|
||
| update-site-compatibility-doc: | ||
| name: Update Public Site Documentation | ||
| permissions: | ||
| contents: read | ||
| needs: generate-files | ||
| runs-on: ubuntu-24.04 | ||
| if: github.event_name == 'workflow_dispatch' && inputs.doc_type == 'site' |
|
While this isn't necessarily SOP, Oren and I have agreed to merge main into the feature branch on a 'sprintly' basis via PR. |
5 participants
Overview
Keeping the deprecation branch up to date with changes in
main