Skip to content

Onboard new backport-pr re-usable github workflow (sql)#5586

Open
peterzhuamazon wants to merge 1 commit into
opensearch-project:mainfrom
peterzhuamazon:update-backport-workflow
Open

Onboard new backport-pr re-usable github workflow (sql)#5586
peterzhuamazon wants to merge 1 commit into
opensearch-project:mainfrom
peterzhuamazon:update-backport-workflow

Conversation

@peterzhuamazon

@peterzhuamazon peterzhuamazon commented Jun 25, 2026

Copy link
Copy Markdown
Member

Description

Onboard new backport-pr re-usable github workflow (sql)

Issues Resolved

opensearch-project/opensearch-build#6270

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@peterzhuamazon
Onboard new backport-pr re-usable github workflow (sql)
1ae1f80 
- Replace old backport workflow with reusable workflow from opensearch-build
- Remove obsolete backport-related workflows

Signed-off-by: Peter Zhu <zhujiaxi@amazon.com>
@peterzhuamazon peterzhuamazon added the enhancement New feature or request label Jun 25, 2026
@peterzhuamazon peterzhuamazon self-assigned this Jun 25, 2026
@github-actions

github-actions Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 1ae1f80.

PathLineSeverityDescription
.github/workflows/backport.yml12highReusable workflow referenced at floating '@main' branch instead of a pinned commit SHA. The previous actions were pinned to specific commit hashes (e.g., tibdex/github-app-token@1901dc7). Using '@main' means any future change to opensearch-project/opensearch-build's backport-pr.yml — including a malicious one — would automatically execute in this repository's CI/CD pipeline. This is a supply chain risk that must be verified by maintainers.
.github/workflows/backport.yml13mediumThe OPENSEARCH_CI_BOT_TOKEN secret is passed to an externally-controlled reusable workflow pinned only to a floating '@main' reference. If the upstream workflow is compromised or tampered with, the token would be exfiltrated. The risk is compounded by the pull_request_target trigger, which runs with write access to the base repository even for PRs from forks.

The table above displays the top 10 most important findings.

Total: 2 | Critical: 0 | High: 1 | Medium: 1 | Low: 0

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

@peterzhuamazon peterzhuamazon moved this from Backlog to In review in OpenSearch Engineering Effectiveness Jun 25, 2026
@peterzhuamazon peterzhuamazon mentioned this pull request Jun 25, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ps48 ps48 Awaiting requested review from ps48 ps48 is a code owner
@joshuali925 joshuali925 Awaiting requested review from joshuali925 joshuali925 is a code owner
@dai-chen dai-chen Awaiting requested review from dai-chen dai-chen is a code owner
@mengweieric mengweieric Awaiting requested review from mengweieric mengweieric is a code owner
@vamsimanohar vamsimanohar Awaiting requested review from vamsimanohar vamsimanohar is a code owner
@Swiddis Swiddis Awaiting requested review from Swiddis Swiddis is a code owner
@penghuo penghuo Awaiting requested review from penghuo penghuo is a code owner
@anirudha anirudha Awaiting requested review from anirudha anirudha is a code owner
@acarbonetto acarbonetto Awaiting requested review from acarbonetto acarbonetto is a code owner
@ykmr1224 ykmr1224 Awaiting requested review from ykmr1224 ykmr1224 is a code owner
@LantaoJin LantaoJin Awaiting requested review from LantaoJin LantaoJin is a code owner
@noCharger noCharger Awaiting requested review from noCharger noCharger is a code owner
@qianheng-aws qianheng-aws Awaiting requested review from qianheng-aws qianheng-aws is a code owner
@yuancu yuancu Awaiting requested review from yuancu yuancu is a code owner
@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner
@ahkcs ahkcs Awaiting requested review from ahkcs ahkcs is a code owner
@songkant-aws songkant-aws Awaiting requested review from songkant-aws songkant-aws is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@peterzhuamazon peterzhuamazon

Labels

enhancement New feature or request

Projects

Engineering Effectiveness Board
Status: 👀 In Review
OpenSearch Engineering Effectiveness
Status: In review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@peterzhuamazon