github-advanced-security[bot] commented on code in PR #39097: URL: https://github.com/apache/beam/pull/39097#discussion_r3471298939
########## .github/workflows/deploy_release_candidate_pypi.yaml: ########## @@ -22,65 +22,69 @@ ~ ~jobs: ~ deploy_release_candidate_pypi: ~ runs-on: [self-hosted, ubuntu-24.04, main] ~ steps: ~ - name: Mask PyPi id/password ~ run: | ~ # Workaround for Actions bug - https://github.com/actions/runner/issues/643 ~ PYPI_API_TOKEN=$(jq -r '.inputs.PYPI_API_TOKEN' $GITHUB_EVENT_PATH) echo "::add-mask::$PYPI_API_TOKEN" - name: Checkout uses: actions/checkout@v7 + with: + persist-credentials: false - name: Setup environment uses: ./.github/actions/setup-environment-action with: ~ python-version: 3.11 ~ disable-cache: true ~ - name: Install dependencies ~ run: | ~ pip install python-dateutil ~ pip install requests ~ pip install twine ~ - name: Deploy to Pypi ~ env: ~ RC_TAG: "v${{ github.event.inputs.RELEASE }}-RC${{ github.event.inputs.RC }}" ~ GIT_REPO_BASE_URL: https://github.com/apache/beam ~ RELEASE_DIR: "beam/${{ github.event.inputs.RELEASE }}" ~ RELEASE: "${{ github.event.inputs.RELEASE }}" SCRIPT_DIR: release/src/main/scripts GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SVN_ARTIFACTS_DIR: "beam/${{ github.event.inputs.RELEASE }}/python" + GITHUB_EVENT_INPUTS_RC: ${{ github.event.inputs.RC }} + GITHUB_EVENT_INPUTS_PYPI_API_TOKEN: ${{ github.event.inputs.PYPI_API_TOKEN }} run: | git fetch --all --tags --prune RELEASE_COMMIT=$(git rev-list -n 1 $RC_TAG) ~ ~ PYTHON_ARTIFACTS_DIR="./python" ~ python "release/src/main/scripts/download_github_actions_artifacts.py" \ ~ --github-token-var GITHUB_TOKEN \ ~ --repo-url "apache/beam" \ --rc-tag "${RC_TAG}" \ --release-commit "${RELEASE_COMMIT}" \ --artifacts_dir "${PYTHON_ARTIFACTS_DIR}" \ - --rc_number "${{ github.event.inputs.RC }}" \ + --rc_number "${GITHUB_EVENT_INPUTS_RC}" \ --yes True cd "${PYTHON_ARTIFACTS_DIR}" ls - echo "------Checking Hash Value for apache_beam-${RELEASE}rc${{ github.event.inputs.RC }}.tar.gz-----" - sha512sum -c "apache_beam-${RELEASE}rc${{ github.event.inputs.RC }}.tar.gz.sha512" + echo "------Checking Hash Value for apache_beam-${RELEASE}rc${GITHUB_EVENT_INPUTS_RC}.tar.gz-----" + sha512sum -c "apache_beam-${RELEASE}rc${GITHUB_EVENT_INPUTS_RC}.tar.gz.sha512" for artifact in *.whl; do echo "----------Checking Hash Value for ${artifact} wheel-----------" ~ sha512sum -c "${artifact}.sha512" ~ done ~ ~ echo "===================Removing sha512 files=======================" ~ rm $(ls | grep -i ".*.sha512$") ~ ~ echo "====================Upload rc to pypi========================" ~ mkdir dist && mv $(ls | grep apache) dist && cd dist echo "Will upload the following files to PyPI:" ls - twine upload --verbose * -u __token__ -p "${{ github.event.inputs.PYPI_API_TOKEN }}" + twine upload --verbose * -u __token__ -p "${GITHUB_EVENT_INPUTS_PYPI_API_TOKEN}" Review Comment: ## CodeQL / Workflow does not contain permissions Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}} [Show more details](https://github.com/apache/beam/security/code-scanning/94) ########## .github/workflows/git_tag_released_version.yml: ########## @@ -32,23 +32,31 @@ ~ ~jobs: ~ generate_tags: ~ runs-on: ubuntu-latest ~ env: ~ VERSION_PATH: ${{ github.event.inputs.VERSION_TAG }} steps: - name: Check out code uses: actions/checkout@v7 + with: + persist-credentials: false - name: Set git config run: | git config user.name $GITHUB_ACTOR git config user.email actions@"$RUNNER_NAME".local - name: Tag for Go SDK run: | - git tag -a sdks/${{ github.event.inputs.VERSION_TAG }} -m ${{ github.event.inputs.RC_TAG }} - git push https://github.com/apache/beam sdks/${{ github.event.inputs.VERSION_TAG }} + git tag -a sdks/${GITHUB_EVENT_INPUTS_VERSION_TAG} -m ${GITHUB_EVENT_INPUTS_RC_TAG} + git push https://github.com/apache/beam sdks/${GITHUB_EVENT_INPUTS_VERSION_TAG} + env: + GITHUB_EVENT_INPUTS_VERSION_TAG: ${{ github.event.inputs.VERSION_TAG }} + GITHUB_EVENT_INPUTS_RC_TAG: ${{ github.event.inputs.RC_TAG }} - name: Tag for repo root run: | - git tag -a ${{ github.event.inputs.VERSION_TAG }} -m ${{ github.event.inputs.RC_TAG }} - git push https://github.com/apache/beam ${{ github.event.inputs.VERSION_TAG }} + git tag -a ${GITHUB_EVENT_INPUTS_VERSION_TAG} -m ${GITHUB_EVENT_INPUTS_RC_TAG} + git push https://github.com/apache/beam ${GITHUB_EVENT_INPUTS_VERSION_TAG} + env: + GITHUB_EVENT_INPUTS_VERSION_TAG: ${{ github.event.inputs.VERSION_TAG }} + GITHUB_EVENT_INPUTS_RC_TAG: ${{ github.event.inputs.RC_TAG }} Review Comment: ## CodeQL / Workflow does not contain permissions Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}} [Show more details](https://github.com/apache/beam/security/code-scanning/95) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
