IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Added security patch delivery workflows (#71101)

Browse Source 
* adding security patch workflows

* adding grafana-delivery as codeowners for new pr-security-check workflows

* adding release branch triggers to PR security patch github action

* joined security patching mirror and apply jobs

* remove temp files
This commit is contained in:
Ricky Whitaker 2023-07-06 10:06:17 -05:00 committed by GitHub
parent d33508453f
commit d88046d3d4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 52 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/CODEOWNERS vendored
View File

@ -611,6 +611,8 @@ embed.go @grafana/grafana-as-code
/.github/workflows/pr-codeql-analysis-python.yml @DanCech /.github/workflows/pr-codeql-analysis-python.yml @DanCech
/.github/workflows/pr-commands-closed.yml @tolzhabayev /.github/workflows/pr-commands-closed.yml @tolzhabayev
/.github/workflows/pr-commands.yml @marefr /.github/workflows/pr-commands.yml @marefr
/.github/workflows/pr-security-patch-check.yml @grafana/grafana-delivery
/.github/workflows/pr-security-patch-mirror-and-apply.yml @grafana/grafana-delivery
/.github/workflows/publish-technical-documentation-next.yml @grafana/docs-grafana /.github/workflows/publish-technical-documentation-next.yml @grafana/docs-grafana
/.github/workflows/publish-technical-documentation-release.yml @grafana/docs-grafana /.github/workflows/publish-technical-documentation-release.yml @grafana/docs-grafana
/.github/workflows/remove-milestone.yml @grafana/grafana-delivery /.github/workflows/remove-milestone.yml @grafana/grafana-delivery

24
.github/workflows/pr-security-patch-check.yml vendored Normal file
View File

@ -0,0 +1,24 @@
# Owned by grafana-delivery-squad
# Intended to be dropped into the base repo Ex: grafana/grafana
name: Check for security patch conflicts
run-name: check-security-patch-conflicts-${{ github.base_ref }}-${{ github.head_ref }}
on:
pull_request_target:
types:
- opened
branches:
- "main"
- "v*.*.*"
- "release-*"
# Since this is run on a pull request, we want to apply the patches intended for the
# target branch onto the source branch, to verify compatibility before merging.
jobs:
trigger_downstream_patch_check:
uses: grafana/security-patch-actions/.github/workflows/test-patches.yml@main
with:
src_repo: "${{ github.repository }}"
src_ref: "${{ github.head_ref }}" # this is the source branch name, Ex: "feature/newthing"
patch_repo: "${{ github.repository }}-security-patches"
patch_ref: "${{ github.base_ref }}" # this is the target branch name, Ex: "main"
secrets: inherit

26
.github/workflows/pr-security-patch-mirror-and-apply.yml vendored Normal file
View File

@ -0,0 +1,26 @@
# Owned by grafana-delivery-squad
# Intended to be dropped into the base repo, Ex: grafana/grafana
name: Sync to security mirror
run-name: sync-to-security-mirror-${{ github.base_ref }}-${{ github.head_ref }}
on:
pull_request_target:
types:
- closed
branches:
- "main"
- "v*.*.*"
- "release-*"
# This is run after the pull request has been merged, so we'll run against the target branch
jobs:
trigger_downstream_security_mirror:
concurrency: security-mirror-${{ github.ref }}
if: github.event.pull_request.merged == true
uses: grafana/security-patch-actions/.github/workflows/mirror-branch-and-apply-patches.yml@main
with:
ref: "${{ github.base_ref }}" # this is the target branch name, Ex: "main"
src_repo: "${{ github.repository }}"
dest_repo: "${{ github.repository }}-security-mirror"
patch_repo: "${{ github.repository }}-security-patches"
secrets: inherit