public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[v9.4.x] Added security patch delivery workflows (#71147)

Browse Source 
Added security patch delivery workflows (#71101)

* adding security patch workflows

* adding grafana-delivery as codeowners for new pr-security-check workflows

* adding release branch triggers to PR security patch github action

* joined security patching mirror and apply jobs

* remove temp files

(cherry picked from commit d88046d3d4)

Co-authored-by: Ricky Whitaker <ricky.whitaker@grafana.com>
This commit is contained in:
grafana-delivery-bot[bot]
2023-07-06 11:11:27 -05:00
committed by GitHub
parent 3e8916aa81
commit 51b8889874
3 changed files with 52 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/pr-security-patch-check.yml
+24
View File
@@ -0,0 +1,24 @@
# Owned by grafana-delivery-squad
# Intended to be dropped into the base repo Ex: grafana/grafana
name: Check for security patch conflicts
run-name: check-security-patch-conflicts-${{ github.base_ref }}-${{ github.head_ref }}
on:
pull_request_target:
types:
- opened
branches:
- "main"
- "v*.*.*"
- "release-*"
# Since this is run on a pull request, we want to apply the patches intended for the
# target branch onto the source branch, to verify compatibility before merging.
jobs:
trigger_downstream_patch_check:
uses: grafana/security-patch-actions/.github/workflows/test-patches.yml@main
with:
src_repo: "${{ github.repository }}"
src_ref: "${{ github.head_ref }}" # this is the source branch name, Ex: "feature/newthing"
patch_repo: "${{ github.repository }}-security-patches"
patch_ref: "${{ github.base_ref }}" # this is the target branch name, Ex: "main"
secrets: inherit
.github/workflows/pr-security-patch-mirror-and-apply.yml
+26
View File
@@ -0,0 +1,26 @@
# Owned by grafana-delivery-squad
# Intended to be dropped into the base repo, Ex: grafana/grafana
name: Sync to security mirror
run-name: sync-to-security-mirror-${{ github.base_ref }}-${{ github.head_ref }}
on:
pull_request_target:
types:
- closed
branches:
- "main"
- "v*.*.*"
- "release-*"
# This is run after the pull request has been merged, so we'll run against the target branch
jobs:
trigger_downstream_security_mirror:
concurrency: security-mirror-${{ github.ref }}
if: github.event.pull_request.merged == true
uses: grafana/security-patch-actions/.github/workflows/mirror-branch-and-apply-patches.yml@main
with:
ref: "${{ github.base_ref }}" # this is the target branch name, Ex: "main"
src_repo: "${{ github.repository }}"
dest_repo: "${{ github.repository }}-security-mirror"
patch_repo: "${{ github.repository }}-security-patches"
secrets: inherit