[Snyk] Security upgrade swagger-ui-react from 5.17.10 to 5.18.0 #146
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- "main" | |
- "release-*" | |
- "!release-2.8" | |
pull_request: | |
branches: | |
- "main" | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
permissions: | |
contents: read | |
jobs: | |
changed-files: | |
name: Get changed files | |
outputs: | |
# reference: https://github.com/tj-actions/changed-files#outputs- | |
tests: ${{ steps.changed-files.outputs.tests_any_modified == 'true' }} | |
e2e-tests: ${{ steps.changed-files.outputs.e2e-tests_any_modified == 'true' }} | |
codegen: ${{ steps.changed-files.outputs.codegen_any_modified == 'true' }} | |
lint: ${{ steps.changed-files.outputs.lint_any_modified == 'true' }} | |
ui: ${{ steps.changed-files.outputs.ui_any_modified == 'true' }} | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 50 # assume PRs are less than 50 commits | |
- name: Get relevant files changed per group | |
id: changed-files | |
uses: tj-actions/changed-files@cbda684547adc8c052d50711417fa61b428a9f88 # v41.1.2 | |
with: | |
files_yaml: | | |
common: &common | |
- .github/workflows/ci-build.yaml | |
- Makefile | |
- tasks.yaml | |
tests: &tests | |
- *common | |
- cmd/** | |
- config/** | |
- errors/** | |
- persist/** | |
- pkg/** | |
- server/** | |
- test/** | |
- util/** | |
- workflow/** | |
- go.mod | |
- go.sum | |
e2e-tests: | |
- *tests | |
# plus manifests and SDKs that are used in E2E tests | |
- Dockerfile | |
- manifests/** | |
- sdks/** | |
codegen: | |
- *common | |
# generated files | |
- api/** | |
- docs/fields.md | |
- docs/executor_swagger.md | |
- docs/cli/** | |
- pkg/** | |
- sdks/java/** | |
- sdks/python/** | |
# files that generation is based off | |
- pkg/** | |
- cmd/** | |
- examples/** # examples are used within the fields lists | |
- manifests/** # a few of these are generated and committed | |
# generation scripts | |
- hack/api/** | |
- hack/docs/** | |
- hack/manifests/** | |
- .clang-format | |
lint: | |
- *tests | |
# plus lint config | |
- .golangci.yml | |
# all GH workflows / actions | |
- .github/workflows/** | |
# docs files below | |
- docs/** | |
# generated files are covered by codegen | |
- '!docs/fields.md' | |
- '!docs/executor_swagger.md' | |
- '!docs/cli/**' | |
# proposals live only on GH as pure markdown | |
- '!docs/proposals/**' | |
# docs scripts & tools from `make docs` | |
- hack/docs/copy-readme.sh | |
- hack/docs/check-env-doc.sh | |
- .markdownlint.yaml | |
- .mlc_config.json | |
- .spelling | |
- mkdocs.yml | |
ui: | |
- *common | |
- ui/** | |
tests: | |
name: Unit Tests | |
needs: [ changed-files ] | |
if: ${{ needs.changed-files.outputs.tests == 'true' }} | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: "1.22" | |
cache: true | |
- run: make test STATIC_FILES=false GOTEST='go test -p 20 -covermode=atomic -coverprofile=coverage.out' | |
- name: Upload coverage report | |
# engineers just ignore this in PRs, so lets not even run it | |
if: github.ref == 'refs/heads/main' | |
uses: codecov/codecov-action@84508663e988701840491b86de86b666e8a86bed # v4.3.0 | |
with: | |
fail_ci_if_error: true | |
env: | |
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
tests-windows: | |
name: Windows Unit Tests | |
needs: [ changed-files ] | |
if: ${{ needs.changed-files.outputs.tests == 'true' }} | |
runs-on: windows-2022 | |
timeout-minutes: 20 | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: "1.22" | |
cache: true | |
# windows run does not use makefile target because it does a lot more than just testing and is not cross-platform compatible | |
- run: go test -p 20 -covermode=atomic -coverprofile='coverage.out' $(go list ./... | select-string -Pattern 'github.com/argoproj/argo-workflows/v3/workflow/controller' , 'github.com/argoproj/argo-workflows/v3/server' -NotMatch) | |
env: | |
KUBECONFIG: /dev/null | |
- name: Upload coverage report | |
# engineers just ignore this in PRs, so lets not even run it | |
if: github.ref == 'refs/heads/main' | |
uses: codecov/codecov-action@84508663e988701840491b86de86b666e8a86bed # v4.3.0 | |
with: | |
fail_ci_if_error: true | |
env: | |
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
argo-images: | |
name: argo-images | |
# needs: [ lint ] | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- image: argoexec | |
- image: argocli | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | |
- name: Build and export | |
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 | |
with: | |
context: . | |
tags: quay.io/argoproj/${{matrix.image}}:latest | |
outputs: type=docker,dest=/tmp/${{matrix.image}}_image.tar | |
target: ${{matrix.image}} | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
- name: Upload | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
name: ${{matrix.image}}_image.tar | |
path: /tmp/${{matrix.image}}_image.tar | |
if-no-files-found: error | |
e2e-tests: | |
name: E2E Tests | |
needs: [ changed-files, argo-images ] | |
if: ${{ needs.changed-files.outputs.e2e-tests == 'true' }} | |
runs-on: ubuntu-latest | |
timeout-minutes: 30 | |
env: | |
KUBECONFIG: /home/runner/.kubeconfig | |
E2E_ENV_FACTOR: 2 | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- test: test-executor | |
profile: minimal | |
- test: test-corefunctional | |
profile: minimal | |
- test: test-functional | |
profile: minimal | |
- test: test-api | |
profile: mysql | |
- test: test-cli | |
profile: mysql | |
- test: test-cron | |
profile: minimal | |
- test: test-examples | |
profile: minimal | |
- test: test-plugins | |
profile: plugins | |
- test: test-java-sdk | |
profile: minimal | |
- test: test-python-sdk | |
profile: minimal | |
- test: test-executor | |
install_k3s_version: v1.28.11+k3s1 | |
profile: minimal | |
- test: test-corefunctional | |
install_k3s_version: v1.28.11+k3s1 | |
profile: minimal | |
- test: test-functional | |
install_k3s_version: v1.28.11+k3s1 | |
profile: minimal | |
steps: | |
- name: Install socat (needed by Kubernetes) | |
run: sudo apt-get -y install socat | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: "1.22" | |
cache: true | |
- name: Install Java for the SDK | |
if: ${{matrix.test == 'test-java-sdk'}} | |
uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0 | |
with: | |
java-version: '8' | |
distribution: adopt | |
cache: maven | |
- name: Install Python for the SDK | |
if: ${{matrix.test == 'test-python-sdk'}} | |
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 | |
with: | |
python-version: '3.x' | |
cache: pip | |
- name: Install and start K3S | |
run: | | |
if ! echo "${{ matrix.install_k3s_version }}" | egrep '^v[0-9]+\.[0-9]+\.[0-9]+\+k3s1$'; then | |
export INSTALL_K3S_VERSION=v1.30.2+k3s1 | |
else | |
export INSTALL_K3S_VERSION=${{ matrix.install_k3s_version }} | |
fi | |
curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=stable INSTALL_K3S_EXEC=--docker K3S_KUBECONFIG_MODE=644 sh - | |
until kubectl --kubeconfig=/etc/rancher/k3s/k3s.yaml cluster-info ; do sleep 10s ; done | |
cp /etc/rancher/k3s/k3s.yaml /home/runner/.kubeconfig | |
echo "- name: fake_token_user" >> $KUBECONFIG | |
echo " user:" >> $KUBECONFIG | |
echo " token: xxxxxx" >> $KUBECONFIG | |
until kubectl cluster-info ; do sleep 10s ; done | |
- name: Download images | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
pattern: '*_image.tar' | |
path: /tmp | |
- name: Load images | |
run: | | |
set -eux | |
docker load < /tmp/argoexec_image.tar/argoexec_image.tar | |
docker load < /tmp/argocli_image.tar/argocli_image.tar | |
- name: Set-up /etc/hosts | |
run: | | |
echo '127.0.0.1 dex' | sudo tee -a /etc/hosts | |
echo '127.0.0.1 minio' | sudo tee -a /etc/hosts | |
echo '127.0.0.1 postgres' | sudo tee -a /etc/hosts | |
echo '127.0.0.1 mysql' | sudo tee -a /etc/hosts | |
echo '127.0.0.1 azurite' | sudo tee -a /etc/hosts | |
- name: Install manifests | |
run: make install PROFILE=${{matrix.profile}} STATIC_FILES=false | |
- name: Build controller | |
run: make controller kit STATIC_FILES=false | |
- name: Build CLI | |
run: make cli STATIC_FILES=false | |
if: ${{matrix.test == 'test-api' || matrix.test == 'test-cli' || matrix.test == 'test-java-sdk' || matrix.test == 'test-python-sdk'}} | |
- name: Start controller/API | |
run: | | |
make start PROFILE=${{matrix.profile}} \ | |
AUTH_MODE=client STATIC_FILES=false \ | |
LOG_LEVEL=info \ | |
API=${{matrix.test == 'test-api' || matrix.test == 'test-cli' || matrix.test == 'test-java-sdk' || matrix.test == 'test-python-sdk'}} \ | |
UI=false \ | |
POD_STATUS_CAPTURE_FINALIZER=true > /tmp/argo.log 2>&1 & | |
- name: Wait for controller to be up | |
run: make wait API=${{matrix.test == 'test-api' || matrix.test == 'test-cli' || matrix.test == 'test-java-sdk' || matrix.test == 'test-python-sdk'}} | |
timeout-minutes: 5 | |
- name: Run tests ${{matrix.test}} | |
run: make ${{matrix.test}} E2E_SUITE_TIMEOUT=20m STATIC_FILES=false | |
# failure debugging below | |
- name: Failure debug - describe MinIO/MySQL deployment | |
if: ${{ failure() }} | |
run: | | |
set -eux | |
kubectl get deploy | |
kubectl describe deploy | |
- name: Failure debug - describe MinIO/MySQL pods | |
if: ${{ failure() }} | |
run: | | |
set -eux | |
kubectl get pods -l '!workflows.argoproj.io/workflow' | |
kubectl describe pods -l '!workflows.argoproj.io/workflow' | |
- name: Failure debug - MinIO/MySQL logs | |
if: ${{ failure() }} | |
run: kubectl logs -l '!workflows.argoproj.io/workflow' --prefix | |
- name: Failure debug - Controller/API logs | |
if: ${{ failure() }} | |
run: | | |
[ -e /tmp/argo.log ] && cat /tmp/argo.log | |
- if: ${{ failure() }} | |
name: Failure debug - describe Workflows | |
run: | | |
set -eux | |
kubectl get wf | |
kubectl describe wf | |
- name: Failure debug - describe Workflow pods | |
if: ${{ failure() }} | |
run: | | |
set -eux | |
kubectl get pods -l workflows.argoproj.io/workflow | |
kubectl describe pods -l workflows.argoproj.io/workflow | |
- name: Failure debug - Workflow Pod logs | |
if: ${{ failure() }} | |
run: kubectl logs --all-containers -l workflows.argoproj.io/workflow --prefix | |
# workaround for status checks -- check this one job instead of each individual E2E job in the matrix | |
# this allows us to skip the entire matrix when it doesn't need to run while still having accurate status checks | |
# see https://github.com/orgs/community/discussions/9141#discussioncomment-2296809 and https://github.com/orgs/community/discussions/26822#discussioncomment-3305794 | |
e2e-tests-composite-result: | |
name: E2E Tests - Composite result | |
needs: [ e2e-tests ] | |
if: ${{ always() }} | |
runs-on: ubuntu-latest | |
steps: | |
- run: | | |
result="${{ needs.e2e-tests.result }}" | |
# mark as successful even if skipped | |
if [[ $result == "success" || $result == "skipped" ]]; then | |
exit 0 | |
else | |
exit 1 | |
fi | |
codegen: | |
name: Codegen | |
needs: [ changed-files ] | |
if: ${{ needs.changed-files.outputs.codegen == 'true' }} | |
runs-on: ubuntu-latest | |
timeout-minutes: 20 | |
env: | |
GOPATH: /home/runner/go | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: "1.22" | |
cache: true | |
- name: Install protoc | |
run: | | |
set -eux -o pipefail | |
curl -OL https://github.com/protocolbuffers/protobuf/releases/download/v3.19.4/protoc-3.19.4-linux-x86_64.zip | |
sudo unzip -o protoc-3.19.4-linux-x86_64.zip -d /usr/local bin/protoc | |
sudo unzip -o protoc-3.19.4-linux-x86_64.zip -d /usr/local 'include/*' | |
sudo chmod +x /usr/local/bin/protoc | |
sudo find /usr/local/include -type f | xargs sudo chmod a+r | |
sudo find /usr/local/include -type d | xargs sudo chmod a+rx | |
ls /usr/local/include/google/protobuf/ | |
- name: Pull OpenAPI Generator CLI Docker image | |
run: | | |
docker pull openapitools/openapi-generator-cli:v5.4.0 & | |
docker pull openapitools/openapi-generator-cli:v5.2.1 & | |
- name: Create symlinks | |
run: | | |
mkdir -p /home/runner/go/src/github.com/argoproj | |
ln -s "$PWD" /home/runner/go/src/github.com/argoproj/argo-workflows | |
- run: make codegen -B STATIC_FILES=false | |
# if codegen makes changes that are not in the PR, fail the build | |
- name: Check if codegen made changes not present in the PR | |
run: git diff --exit-code | |
lint: | |
name: Lint | |
needs: [ changed-files ] | |
if: ${{ needs.changed-files.outputs.lint == 'true' }} | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 # must be strictly greater than the timeout in .golangci.yml | |
env: | |
GOPATH: /home/runner/go | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: "1.22" | |
cache: true | |
- run: make lint STATIC_FILES=false | |
# if lint makes changes that are not in the PR, fail the build | |
- name: Check if lint made changes not present in the PR | |
run: git diff --exit-code | |
# lint GH Actions | |
- name: Ensure GH Actions are pinned to SHAs | |
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@ba37328d4ea95eaf8b3bd6c6cef308f709a5f2ec # v3.0.3 | |
ui: | |
name: UI | |
needs: [ changed-files ] | |
if: ${{ needs.changed-files.outputs.ui == 'true' }} | |
runs-on: ubuntu-latest | |
timeout-minutes: 6 | |
env: | |
NODE_OPTIONS: --max-old-space-size=4096 | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1 | |
with: | |
node-version: "20" # change in all GH Workflows | |
cache: yarn | |
cache-dependency-path: ui/yarn.lock | |
- run: yarn --cwd ui install | |
- run: yarn --cwd ui build | |
- run: yarn --cwd ui test | |
- run: yarn --cwd ui lint | |
- run: yarn --cwd ui deduplicate | |
# if lint or deduplicate make changes that are not in the PR, fail the build | |
- name: Check if lint & deduplicate made changes not present in the PR | |
run: git diff --exit-code | |
# check to see if it'll start (but not if it'll render) | |
- run: yarn --cwd ui start & | |
- run: until curl http://localhost:8080 > /dev/null ; do sleep 10s ; done | |
timeout-minutes: 1 |