From 5eae3d7d5f208fed40276ddba34c83eaf6bd97fa Mon Sep 17 00:00:00 2001 From: Matvey Arye Date: Tue, 4 Jun 2024 21:03:05 -0400 Subject: [PATCH] Button down security --- .github/CODEOWNERS | 1 + .github/actions/install-pgrx/action.yml | 4 +- .github/actions/install-postgres/action.yml | 2 +- .github/matrix/dependencies.json | 10 ---- .github/workflows/code_checks.yml | 5 +- .github/workflows/deb-packager.yaml | 4 +- .github/workflows/pr-validation.yaml | 55 --------------------- .github/workflows/shellcheck.yaml | 2 +- scripts/package-deb.sh | 2 +- 9 files changed, 12 insertions(+), 73 deletions(-) delete mode 100644 .github/matrix/dependencies.json delete mode 100644 .github/workflows/pr-validation.yaml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 1c50734..ba9ebc0 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1 +1,2 @@ * @timescale/ts-vector +/.github/ @jgpruitt @cevian @avthars \ No newline at end of file diff --git a/.github/actions/install-pgrx/action.yml b/.github/actions/install-pgrx/action.yml index b713733..5925ca2 100644 --- a/.github/actions/install-pgrx/action.yml +++ b/.github/actions/install-pgrx/action.yml @@ -39,7 +39,7 @@ runs: - name: Cache cargo-pgrx installation ${{ inputs.pgrx-version }} id: cache-cargo-pgrx - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: ~/.cargo/bin/cargo-pgrx key: ${{runner.os}}-cargo-pgrx-${{ inputs.pgrx-version }}-pg${{ steps.pg-config.outputs.version }}-${{ steps.rustc.outputs.version }} @@ -60,7 +60,7 @@ runs: - name: Cache cargo-grcov installation ${{ inputs.grcov-version }} id: cache-cargo-grcov - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: ~/.cargo/bin/grcov key: ${{runner.os}}-cargo-grcov-${{ inputs.grcov-version }}-${{ steps.rustc.outputs.version }} diff --git a/.github/actions/install-postgres/action.yml b/.github/actions/install-postgres/action.yml index 59b4090..38ff0b8 100644 --- a/.github/actions/install-postgres/action.yml +++ b/.github/actions/install-postgres/action.yml @@ -15,7 +15,7 @@ runs: steps: - name: Cache PostgreSQL ${{ inputs.pg-version }} id: cache-postgresql - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: ${{ inputs.pg-src-dir }} key: ${{ runner.os }}-postgresql-${{ inputs.pg-version }} diff --git a/.github/matrix/dependencies.json b/.github/matrix/dependencies.json deleted file mode 100644 index 41fbcf2..0000000 --- a/.github/matrix/dependencies.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "0.0.0": { - "pg-version": [ - "16.1" - ], - "ts-version": [ - "2.13.x" - ] - } -} diff --git a/.github/workflows/code_checks.yml b/.github/workflows/code_checks.yml index 9eae750..69be0e6 100644 --- a/.github/workflows/code_checks.yml +++ b/.github/workflows/code_checks.yml @@ -1,5 +1,8 @@ name: Run code checks on: [push, pull_request, workflow_dispatch] +permissions: + contents: read + jobs: fmt: runs-on: ubuntu-latest @@ -9,7 +12,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Verify formatting run: cd pgvectorscale && cargo fmt --check diff --git a/.github/workflows/deb-packager.yaml b/.github/workflows/deb-packager.yaml index 20a8104..b3a8392 100644 --- a/.github/workflows/deb-packager.yaml +++ b/.github/workflows/deb-packager.yaml @@ -30,7 +30,7 @@ jobs: steps: - name: Checkout pgvectorscale - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Install Linux Packages uses: ./.github/actions/install-packages @@ -69,7 +69,7 @@ jobs: # Use a GH artifact, then we can make use of the (quite limited) GH API https://docs.github.com/en/rest/actions/artifacts # The artifact will have a TTL of 90 days - name: Upload deb as Artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: vector-${{ env.TAG }}-pg${{ env.PG_VER }} path: pkgdump/pgvectorscale-*${{ env.TAG }}*.deb diff --git a/.github/workflows/pr-validation.yaml b/.github/workflows/pr-validation.yaml deleted file mode 100644 index a589527..0000000 --- a/.github/workflows/pr-validation.yaml +++ /dev/null @@ -1,55 +0,0 @@ -name: Pull Request Validation -on: - pull_request: - types: [opened, synchronize, reopened, edited] - branches: [main] -jobs: - # Count the number of commits in a pull request. This can be - # disabled by adding a trailer line of the following form to the - # pull request message: - # - # Disable-Check: commit-count - # - # The check is case-insensitive and ignores other contents on the - # line as well, so it is possible to add several different checks if - # that is necessary. - count_commits: - name: Enforce single commit pull request - runs-on: ubuntu-latest - steps: - - name: Checkout source - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.head.sha }} - fetch-depth: 0 - - name: Dump GitHub context (for debugging) - env: - GITHUB_CONTEXT: ${{ toJSON(github) }} - run: | - echo "GITHUB_CONTEXT: $GITHUB_CONTEXT" - - name: Check number of commits - shell: bash --norc --noprofile {0} - run: | - cat << "EOF" | egrep -qsi '^disable-check:.*\' - ${{ github.event.pull_request.body }} - EOF - if [[ $? -ne 0 ]]; then - base=${{ github.event.pull_request.base.sha }} - head=${{ github.event.pull_request.head.sha }} - count=`git rev-list --count $base..$head` - if [[ "$count" -ne 1 ]]; then - echo "Found $count commits in pull request (there should be only one):" - git log --format=format:'- %h %s' $base..$head - echo - echo "To disable commit count, add this trailer to pull request message:" - echo - echo "Disable-check: commit-count" - echo - echo "Trailers follow RFC2822 conventions, so no whitespace" - echo "before field name and the check is case-insensitive for" - echo "both the field name and the field body." - exit 1 - fi - fi - - diff --git a/.github/workflows/shellcheck.yaml b/.github/workflows/shellcheck.yaml index 34f9c02..2bf3eec 100644 --- a/.github/workflows/shellcheck.yaml +++ b/.github/workflows/shellcheck.yaml @@ -21,7 +21,7 @@ jobs: sudo apt-get install shellcheck - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run shellcheck run: | diff --git a/scripts/package-deb.sh b/scripts/package-deb.sh index c96c487..12a7e47 100755 --- a/scripts/package-deb.sh +++ b/scripts/package-deb.sh @@ -2,7 +2,7 @@ DEBHELPER_COMPAT=11 -set -ex +set -eux OS_NAME="${3}" BASEDIR="${2}"/pgvectorscale