feat: add a chart for the network mapper #5
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @roderik, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request significantly enhances the deployment capabilities of the network mapper by introducing a dedicated Helm chart. This chart encapsulates all necessary Kubernetes resources, such as Deployments, Services, Ingress, and Horizontal Pod Autoscalers, making the application easily deployable and scalable within a Kubernetes cluster. Additionally, it includes updates to development tooling configurations and a new script to streamline version management for both packages and charts, particularly in CI/CD pipelines.
Highlights
- New Helm Chart: A new Helm chart named
network-bootstrapperhas been added, providing a standardized way to deploy the network mapper application on Kubernetes. - Development Tooling Updates: The
biome.jsoncconfiguration has been updated to disable certain complexity rules, and theyamldependency has been added topackage.jsonandbun.lock. - Automated Versioning Script: A new TypeScript script (
tools/version.ts) has been introduced to automate the updating of package and Helm chart versions based on Git references and CI environment variables, ensuring consistent versioning across the project.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in pull request comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
|
To view in Slack, search for: 1758094621.298959 |
github-actions
bot
added
status:ready-for-review
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey there - I've reviewed your changes and they look great!
Prompt for AI Agents
Please address the comments from this code review:
## Individual Comments
### Comment 1
<location> `tools/version.ts:227-240` </location>
<code_context>
+ const glob = new Glob("**/package.json");
+ const packageFiles: string[] = [];
+
+ for await (const file of glob.scan(startPath || ".")) {
+ // Skip files in node_modules and kit/contracts/dependencies directories
+ if (
+ file.includes("node_modules/") ||
+ file.includes("kit/contracts/dependencies/")
+ ) {
+ continue;
+ }
+ packageFiles.push(file);
+ }
+
</code_context>
<issue_to_address>
**suggestion:** Exclusion logic may miss edge cases for unwanted directories.
String-based exclusion may fail if directory structures change or files are nested differently. Using path-based filters or glob ignore patterns would improve reliability.
```suggestion
// Find all package.json files in the workspace, excluding node_modules and kit/contracts/dependencies using glob ignore patterns
const glob = new Glob("**/package.json", {
ignore: [
"**/node_modules/**",
"**/kit/contracts/dependencies/**"
]
});
const packageFiles: string[] = [];
for await (const file of glob.scan(startPath || ".")) {
packageFiles.push(file);
}
```
</issue_to_address>
### Comment 2
<location> `tools/version.ts:329-330` </location>
<code_context>
+ console.log(`\nSuccessfully updated ${updatedCount} package.json files`);
+ } catch (err) {
+ console.error("Failed to update package versions:", err);
+ process.exit(1);
+ }
+}
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Direct use of process.exit may interfere with Bun's async operations.
Consider deferring process.exit or using Bun's recommended termination approach to ensure all async operations complete before exiting.
```suggestion
console.error("Failed to update package versions:", err);
// Defer process exit to allow pending async operations to complete (recommended for Bun)
setTimeout(() => process.exit(1), 100);
```
</issue_to_address>
### Comment 3
<location> `tools/version.ts:435` </location>
<code_context>
+}
+
+// Run the script if called directly
+if (import.meta.main) {
+ // Check if running in CI environment
+ if (!process.env.CI) {
</code_context>
<issue_to_address>
**suggestion:** Script requires CI environment variable to run.
Consider adding an option to bypass the CI check for local development or manual version bumping.
</issue_to_address>
### Comment 4
<location> `charts/network-bootstrapper/templates/serviceaccount.yaml:12` </location>
<code_context>
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+{{- end }}
</code_context>
<issue_to_address>
**suggestion:** AutomountServiceAccountToken may be omitted for default behavior.
Only render automountServiceAccountToken if .Values.serviceAccount.automount is defined to avoid empty fields in the output.
</issue_to_address>
### Comment 5
<location> `charts/network-bootstrapper/templates/NOTES.txt:12` </location>
<code_context>
+ echo "Visit http://$APP_HOSTNAME{{ (first (first .Values.httpRoute.rules).matches).path.value }} to use your application"
+
+ NOTE: Your HTTPRoute depends on the listener configuration of your gateway and your HTTPRoute rules.
+ The rules can be set for path, method, header and query parameters.
+ You can check the gateway configuration with 'kubectl get --namespace {{(first .Values.httpRoute.parentRefs).namespace | default .Release.Namespace }} gateway/{{ (first .Values.httpRoute.parentRefs).name }} -o yaml'
+{{- end }}
</code_context>
<issue_to_address>
**suggestion:** Consider changing 'header' to 'headers' for consistency.
This aligns with standard terminology in both HTTP and Kubernetes documentation.
```suggestion
The rules can be set for path, method, headers and query parameters.
```
</issue_to_address>
### Comment 6
<location> `tools/version.ts:219` </location>
<code_context>
+ * @param startPath - Starting path for finding package.json files (defaults to current working directory)
+ * @returns Promise that resolves when all updates are complete
+ */
+export async function updatePackageVersion(startPath?: string): Promise<void> {
+ try {
+ // Get the current version info
</code_context>
<issue_to_address>
**issue (complexity):** Consider refactoring the file scanning and processing logic into shared utilities to simplify and reduce duplication in updatePackageVersion and updateChartVersions.
Consider extracting the common “scan + read → transform → write” pattern into a small utility so both `updatePackageVersion` and `updateChartVersions` become very thin. For example:
```ts
// utils/fileProcessor.ts
import { Glob } from "bun";
export async function scanFiles(
pattern: string,
exclude: string[] = [],
cwd = "."
): Promise<string[]> {
const files: string[] = [];
for await (const file of new Glob(pattern).scan(cwd)) {
if (!exclude.some(e => file.includes(e))) files.push(file);
}
return files;
}
export async function processFile<T>({
filePath,
read,
update,
write,
}: {
filePath: string;
read: (raw: string) => T;
update: (data: T, filePath: string) => boolean;
write: (data: T) => string;
}): Promise<boolean> {
const raw = await Bun.file(filePath).text();
const data = read(raw);
if (!update(data, filePath)) return false;
await Bun.write(filePath, write(data));
console.log(` ✔ ${filePath}`);
return true;
}
```
Then your `updatePackageVersion` collapses to:
```ts
import { scanFiles, processFile } from "./utils/fileProcessor";
export async function updatePackageVersion(startPath = ".") {
const versionInfo = await getVersionInfo({ startPath });
const newVersion = versionInfo.version;
console.log(`Updating package.json to ${newVersion}`);
const pkgs = await scanFiles(
"**/package.json",
["node_modules/", "kit/contracts/dependencies/"],
startPath
);
let count = 0;
for (const pkgPath of pkgs) {
const changed = await processFile<PackageJson>({
filePath: pkgPath,
read: txt => JSON.parse(txt),
update: pkg => {
const prev = pkg.version;
pkg.version = newVersion;
const w = updateWorkspaceDependencies(pkg.dependencies, "dep", newVersion)
+ updateWorkspaceDependencies(pkg.devDependencies, "dev", newVersion);
return prev !== newVersion || w > 0;
},
write: pkg => JSON.stringify(pkg, null, 2) + "\n",
});
if (changed) count++;
}
console.log(`\nUpdated ${count}/${pkgs.length} package.json files`);
}
```
And likewise for `updateChartVersions`. You’ll end up with:
- A single `scanFiles` utility instead of repeated glob loops
- A single `processFile` helper instead of nested try/catches + read/parse/write
- Thin, focused modules for JSON vs YAML logic (just swap `read`/`write`)
This preserves all functionality but cuts ~100+ lines of duplication and nesting.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| } | ||
|
|
||
| // Run the script if called directly | ||
| if (import.meta.main) { |
There was a problem hiding this comment.
suggestion: Script requires CI environment variable to run.
Consider adding an option to bypass the CI check for local development or manual version bumping.
| annotations: | ||
| {{- toYaml . | nindent 4 }} | ||
| {{- end }} | ||
| automountServiceAccountToken: {{ .Values.serviceAccount.automount }} |
There was a problem hiding this comment.
suggestion: AutomountServiceAccountToken may be omitted for default behavior.
Only render automountServiceAccountToken if .Values.serviceAccount.automount is defined to avoid empty fields in the output.
| echo "Visit http://$APP_HOSTNAME{{ (first (first .Values.httpRoute.rules).matches).path.value }} to use your application" | ||
|
|
||
| NOTE: Your HTTPRoute depends on the listener configuration of your gateway and your HTTPRoute rules. | ||
| The rules can be set for path, method, header and query parameters. |
There was a problem hiding this comment.
suggestion: Consider changing 'header' to 'headers' for consistency.
This aligns with standard terminology in both HTTP and Kubernetes documentation.
| The rules can be set for path, method, header and query parameters. | |
| The rules can be set for path, method, headers and query parameters. |
There was a problem hiding this comment.
Code Review
This pull request introduces a new Helm chart for the network-bootstrapper and a supporting versioning script. The overall structure is good, but I've identified a few critical issues in the Helm templates that could cause deployment failures under certain conditions. Specifically, the templates for NOTES.txt and httproute.yaml have fragile logic that needs to be made more robust. Additionally, the new versioning script in tools/version.ts has some logical flaws in its change detection, leading to unnecessary file writes and unreachable code. My review includes suggestions to address these issues.
| {{- if and .Values.httpRoute.rules (first .Values.httpRoute.rules).matches (first (first .Values.httpRoute.rules).matches).path.value }} | ||
| echo "Visit http://$APP_HOSTNAME{{ (first (first .Values.httpRoute.rules).matches).path.value }} to use your application" | ||
|
|
||
| NOTE: Your HTTPRoute depends on the listener configuration of your gateway and your HTTPRoute rules. | ||
| The rules can be set for path, method, header and query parameters. | ||
| You can check the gateway configuration with 'kubectl get --namespace {{(first .Values.httpRoute.parentRefs).namespace | default .Release.Namespace }} gateway/{{ (first .Values.httpRoute.parentRefs).name }} -o yaml' | ||
| {{- end }} |
There was a problem hiding this comment.
The logic to extract the path from httpRoute.rules is very fragile. It uses first multiple times and direct property access without checking for existence. If .Values.httpRoute.rules or any of the nested properties are empty or nil, the template rendering will fail, causing the entire Helm operation to abort. This should be made more robust to avoid installation failures.
{{- $path := "" }}
{{- with .Values.httpRoute.rules | first }}
{{- with .matches | first }}
{{- with .path }}
{{- $path = .value }}
{{- end }}
{{- end }}
{{- end }}
{{- if $path }}
echo "Visit http://$APP_HOSTNAME{{ $path }} to use your application"
NOTE: Your HTTPRoute depends on the listener configuration of your gateway and your HTTPRoute rules.
The rules can be set for path, method, header and query parameters.
You can check the gateway configuration with 'kubectl get --namespace {{(first .Values.httpRoute.parentRefs).namespace | default .Release.Namespace }} gateway/{{ (first .Values.httpRoute.parentRefs).name }} -o yaml'
{{- end }}
| {{- range .Values.httpRoute.rules }} | ||
| {{- with .matches }} | ||
| - matches: | ||
| {{- toYaml . | nindent 8 }} | ||
| {{- end }} | ||
| {{- with .filters }} | ||
| filters: | ||
| {{- toYaml . | nindent 8 }} | ||
| {{- end }} | ||
| backendRefs: | ||
| - name: {{ $fullName }} | ||
| port: {{ $svcPort }} | ||
| weight: 1 | ||
| {{- end }} |
There was a problem hiding this comment.
The current logic for rendering the rules in the HTTPRoute is incorrect. The list item marker - is inside the {{- with .matches }} block. This means if a rule is defined in values.yaml without a matches key, the template will render invalid YAML, as the list item will be missing its - marker. This will cause Helm installation to fail for valid configurations.
{{- range .Values.httpRoute.rules }}
-
{{- if .matches }}
matches:
{{- toYaml .matches | nindent 8 }}
{{- end }}
{{- if .filters }}
filters:
{{- toYaml .filters | nindent 8 }}
{{- end }}
backendRefs:
- name: {{ $fullName }}
port: {{ $svcPort }}
weight: 1
{{- end }}
tools/version.ts
Outdated
| const oldVersion = packageJson.version; | ||
| let hasChanges = false; | ||
|
|
||
| // Update the main version | ||
| packageJson.version = newVersion; | ||
| hasChanges = true; | ||
|
|
||
| // Update workspace dependencies in all dependency types | ||
| const workspaceUpdates = [ | ||
| updateWorkspaceDependencies( | ||
| packageJson.dependencies as Record<string, string>, | ||
| "dependencies", | ||
| newVersion | ||
| ), | ||
| updateWorkspaceDependencies( | ||
| packageJson.devDependencies as Record<string, string>, | ||
| "devDependencies", | ||
| newVersion | ||
| ), | ||
| updateWorkspaceDependencies( | ||
| packageJson.peerDependencies as Record<string, string>, | ||
| "peerDependencies", | ||
| newVersion | ||
| ), | ||
| updateWorkspaceDependencies( | ||
| packageJson.optionalDependencies as Record<string, string>, | ||
| "optionalDependencies", | ||
| newVersion | ||
| ), | ||
| ]; | ||
|
|
||
| const totalWorkspaceUpdates = workspaceUpdates.reduce( | ||
| (sum, count) => sum + count, | ||
| 0 | ||
| ); | ||
|
|
||
| if (hasChanges) { |
There was a problem hiding this comment.
The logic for detecting changes is flawed. hasChanges is always set to true after the version is assigned, which makes the else block at line 319 unreachable. This causes the file to be rewritten on every run, even if no changes were made. The logic should be adjusted to only write the file when the version or dependencies have actually changed.
const oldVersion = packageJson.version;
let hasChanges = oldVersion !== newVersion;
// Update the main version
if (hasChanges) {
packageJson.version = newVersion;
}
// Update workspace dependencies in all dependency types
const workspaceUpdates = [
updateWorkspaceDependencies(
packageJson.dependencies as Record<string, string>,
"dependencies",
newVersion
),
updateWorkspaceDependencies(
packageJson.devDependencies as Record<string, string>,
"devDependencies",
newVersion
),
updateWorkspaceDependencies(
packageJson.peerDependencies as Record<string, string>,
"peerDependencies",
newVersion
),
updateWorkspaceDependencies(
packageJson.optionalDependencies as Record<string, string>,
"optionalDependencies",
newVersion
),
];
const totalWorkspaceUpdates = workspaceUpdates.reduce(
(sum, count) => sum + count,
0
);
if (totalWorkspaceUpdates > 0) {
hasChanges = true;
}
if (hasChanges) {
tools/version.ts
Outdated
| let hasChanges = false; | ||
|
|
||
| // Update the version fields | ||
| if (chart.version) { | ||
| chart.version = newVersion; | ||
| hasChanges = true; | ||
| } | ||
| if (chart.appVersion) { | ||
| chart.appVersion = newVersion; | ||
| hasChanges = true; | ||
| } |
There was a problem hiding this comment.
The logic for detecting changes is flawed. hasChanges is set to true if version or appVersion fields exist, regardless of whether their values are changing. This will cause the file to be rewritten on every run, even when no update is necessary. The logic should be adjusted to only set hasChanges if the values are actually different.
let hasChanges = false;
// Update the version fields
if (chart.version && chart.version !== newVersion) {
chart.version = newVersion;
hasChanges = true;
}
if (chart.appVersion && chart.appVersion !== newVersion) {
chart.appVersion = newVersion;
hasChanges = true;
}![seer-by-sentry[bot]](https://avatars.githubusercontent.com/in/801464?s=60&v=4){kind=small}
| {{- with .Values.livenessProbe }} | ||
| livenessProbe: | ||
| {{- toYaml . | nindent 12 }} | ||
| {{- end }} | ||
| {{- with .Values.readinessProbe }} | ||
| readinessProbe: | ||
| {{- toYaml . | nindent 12 }} |
There was a problem hiding this comment.
Potential bug: The Helm chart is misconfigured for a CLI tool, using HTTP probes and a default nginx image, which will cause either deployment failure or deployment of the wrong application.
-
Description: The Helm chart is configured to deploy a long-running web service, but the
network-bootstrapperapplication is a command-line tool that runs to completion and then exits. Thedeployment.yamlspecifies HTTPlivenessProbeandreadinessProbe. If the correct application image were used, these probes would fail because the container does not run an HTTP server, causing the pod to enter a restart loop and the deployment to fail. Additionally, the default image specified invalues.yamlisnginx, which is incorrect. This would result in deploying an nginx web server instead of the intended application. -
Suggested fix: The workload should be refactored to use a Kubernetes
Jobresource, which is designed for run-to-completion tasks. If aDeploymentmust be used, the HTTPlivenessProbeandreadinessProbeshould be removed. The default image invalues.yamlmust also be updated to point to the correctnetwork-bootstrappercontainer image.
severity: 0.9, confidence: 0.95
Did we get this right? 👍 / 👎 to inform future reviews.
github-actions
bot
added
qa:running
|
|
||
| - name: Set up Helm | ||
| if: github.event_name == 'pull_request' || github.event_name == 'push' | ||
| uses: azure/setup-helm@v4 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
|
|
||
| - name: Set up chart-testing | ||
| if: github.event_name == 'pull_request' || github.event_name == 'push' | ||
| uses: helm/chart-testing-action@v2.7.0 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
|
|
||
| - name: Create kind cluster | ||
| if: (github.event_name == 'pull_request' || github.event_name == 'push') && steps.ct-changed.outputs.changed == 'true' | ||
| uses: helm/kind-action@v1.12.0 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
github-actions
bot
added
qa:running
|
|
||
| - name: Set up Helm | ||
| if: github.event_name == 'pull_request' || github.event_name == 'push' | ||
| uses: azure/setup-helm@v4 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
|
|
||
| - name: Set up chart-testing | ||
| if: github.event_name == 'pull_request' || github.event_name == 'push' | ||
| uses: helm/chart-testing-action@v2.7.0 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
|
|
||
| - name: Create kind cluster | ||
| if: (github.event_name == 'pull_request' || github.event_name == 'push') && steps.ct-changed.outputs.changed == 'true' | ||
| uses: helm/kind-action@v1.12.0 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
github-actions
bot
added
qa:running
…d .github workflows
|
|
||
| - name: Set up Helm | ||
| if: github.event_name == 'pull_request' || github.event_name == 'push' | ||
| uses: azure/setup-helm@v4 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
|
|
||
| - name: Set up chart-testing | ||
| if: github.event_name == 'pull_request' || github.event_name == 'push' | ||
| uses: helm/chart-testing-action@v2.7.0 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
|
|
||
| - name: Create kind cluster | ||
| if: (github.event_name == 'pull_request' || github.event_name == 'push') && steps.ct-changed.outputs.changed == 'true' | ||
| uses: helm/kind-action@v1.12.0 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
github-actions
bot
added
qa:running
github-actions
bot
added
qa:success
… adjust expected counts
|
|
||
| - name: Set up Helm | ||
| if: github.event_name == 'pull_request' || github.event_name == 'push' | ||
| uses: azure/setup-helm@v4 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
|
|
||
| - name: Set up chart-testing | ||
| if: github.event_name == 'pull_request' || github.event_name == 'push' | ||
| uses: helm/chart-testing-action@v2.7.0 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
|
|
||
| - name: Create kind cluster | ||
| if: (github.event_name == 'pull_request' || github.event_name == 'push') && steps.ct-changed.outputs.changed == 'true' | ||
| uses: helm/kind-action@v1.12.0 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
| if: | | ||
| github.event_name == 'push' || | ||
| (github.event_name == 'pull_request' && github.event.pull_request.draft == false) | ||
| uses: docker/login-action@v3 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
github-actions
bot
added
qa:running
…ce timeout settings and streamline command execution
|
|
||
| - name: Set up Helm | ||
| if: github.event_name == 'pull_request' || github.event_name == 'push' | ||
| uses: azure/setup-helm@v4 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
|
|
||
| - name: Set up chart-testing | ||
| if: github.event_name == 'pull_request' || github.event_name == 'push' | ||
| uses: helm/chart-testing-action@v2.7.0 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
|
|
||
| - name: Create kind cluster | ||
| if: (github.event_name == 'pull_request' || github.event_name == 'push') && steps.ct-changed.outputs.changed == 'true' | ||
| uses: helm/kind-action@v1.12.0 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
| if: | | ||
| github.event_name == 'push' || | ||
| (github.event_name == 'pull_request' && github.event.pull_request.draft == false) | ||
| uses: docker/login-action@v3 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
github-actions
bot
added
qa:running
…mand timeout settings
|
|
||
| - name: Set up Helm | ||
| if: github.event_name == 'pull_request' || github.event_name == 'push' | ||
| uses: azure/setup-helm@v4 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
|
|
||
| - name: Set up chart-testing | ||
| if: github.event_name == 'pull_request' || github.event_name == 'push' | ||
| uses: helm/chart-testing-action@v2.7.0 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
|
|
||
| - name: Create kind cluster | ||
| if: (github.event_name == 'pull_request' || github.event_name == 'push') && steps.ct-changed.outputs.changed == 'true' | ||
| uses: helm/kind-action@v1.12.0 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
| if: | | ||
| github.event_name == 'push' || | ||
| (github.event_name == 'pull_request' && github.event.pull_request.draft == false) | ||
| uses: docker/login-action@v3 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
github-actions
bot
added
qa:running
github-actions
bot
added
status:merged
Summary by Sourcery
Add a new network-bootstrapper Helm chart and introduce an automated versioning script, integrating version updates into the CI pipeline.
New Features:
Enhancements:
CI: