From 9fabd658332a0f292fe47b4bc451a883c48771a3 Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Mon, 19 Aug 2024 16:19:17 -0400 Subject: [PATCH 01/13] chore: secure hermetic_library_generation workflow Thanks to @diogoteles08 for the inspection on our repos. This PR inlines environment variables to avoid overriding script injections. --- .github/workflows/hermetic_library_generation.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index f7dfb896e6..8231032928 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -19,11 +19,12 @@ on: env: HEAD_REF: ${{ github.head_ref }} + REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} jobs: library_generation: # skip pull requests come from a forked repository - if: github.event.pull_request.head.repo.full_name == github.repository + if: ${{ env.REPO_FULL_NAME }} == github.repository runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 From 73df8308f4777e8a54c7a3f0582f18f5e00bcf77 Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Mon, 19 Aug 2024 16:25:55 -0400 Subject: [PATCH 02/13] fix github object reference --- .github/workflows/hermetic_library_generation.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index 8231032928..161e69c31f 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -24,7 +24,7 @@ env: jobs: library_generation: # skip pull requests come from a forked repository - if: ${{ env.REPO_FULL_NAME }} == github.repository + if: ${{ github.env.REPO_FULL_NAME }} == github.repository runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 From 562c68a55c9176648d3277e316bffe8fdff71905 Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Mon, 19 Aug 2024 16:28:31 -0400 Subject: [PATCH 03/13] Update hermetic_library_generation.yaml --- .github/workflows/hermetic_library_generation.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index 161e69c31f..a1cce51199 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -24,7 +24,7 @@ env: jobs: library_generation: # skip pull requests come from a forked repository - if: ${{ github.env.REPO_FULL_NAME }} == github.repository + if: github.env.REPO_FULL_NAME == github.repository runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 From 77fdb6afed5b7c7ac9bbabd5ee55a6d52b10bbc2 Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Mon, 19 Aug 2024 16:34:25 -0400 Subject: [PATCH 04/13] Update hermetic_library_generation.yaml --- .github/workflows/hermetic_library_generation.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index a1cce51199..ab23b9fec0 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -23,7 +23,7 @@ env: jobs: library_generation: - # skip pull requests come from a forked repository + # skip pull requests coming from a forked repository if: github.env.REPO_FULL_NAME == github.repository runs-on: ubuntu-latest steps: From 97357dedca3055d570df789e2834b253be35be19 Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Thu, 22 Aug 2024 10:30:47 -0400 Subject: [PATCH 05/13] fix env reference --- .github/workflows/hermetic_library_generation.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index ab23b9fec0..c17742b0db 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -24,7 +24,7 @@ env: jobs: library_generation: # skip pull requests coming from a forked repository - if: github.env.REPO_FULL_NAME == github.repository + if: env.REPO_FULL_NAME == github.repository runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 From 66f644d00d886e619a4926c6981d359719605ae8 Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Thu, 22 Aug 2024 10:38:52 -0400 Subject: [PATCH 06/13] use vars instead of env --- .github/workflows/hermetic_library_generation.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index c17742b0db..810530ea51 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -24,7 +24,7 @@ env: jobs: library_generation: # skip pull requests coming from a forked repository - if: env.REPO_FULL_NAME == github.repository + if: vars.REPO_FULL_NAME == github.repository runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 From 0d4c5ee8e01ab05d1297cbbb8973984bfa83644c Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Thu, 22 Aug 2024 10:47:15 -0400 Subject: [PATCH 07/13] workaround for indirectly referencing env in jobs.if --- .../workflows/hermetic_library_generation.yaml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index 810530ea51..06439934fb 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -22,9 +22,22 @@ env: REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} jobs: + # This step is meant to inline the jobs.if of the next step "library_generation" as + # an env var to avoid injection vulnerabilities. + # Unfortunately, we can't directly reference `env` in jobs.if + # (see https://github.com/actions/runner/issues/2372) + # The chosen workaround is to declare an intermediate step that will output the env var + prepare-repo-full-name: + name: Prepare REPO_FULL_NAME env var + runs-on: ubuntu-latest + outputs: + REPO_FULL_NAME: ${{ env.REPO_FULL_NAME }} + steps: + - run: echo "" >> /dev/null # no op - we just need to declare the env var as output library_generation: # skip pull requests coming from a forked repository - if: vars.REPO_FULL_NAME == github.repository + if: needs.prepare-repo-full-name.outputs.REPO_FULL_NAME == github.repository + needs: [prepare-repo-full-name] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 From 59956913b3d1625e04dd1583b71ef941809447bb Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Thu, 22 Aug 2024 10:48:38 -0400 Subject: [PATCH 08/13] rename job --- .github/workflows/hermetic_library_generation.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index 06439934fb..e5c0aaa97f 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -28,7 +28,7 @@ jobs: # (see https://github.com/actions/runner/issues/2372) # The chosen workaround is to declare an intermediate step that will output the env var prepare-repo-full-name: - name: Prepare REPO_FULL_NAME env var + name: Prepare environment runs-on: ubuntu-latest outputs: REPO_FULL_NAME: ${{ env.REPO_FULL_NAME }} From 37f1f9e5816b20ccb8fed07d5cfee76a2594d303 Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Thu, 22 Aug 2024 13:19:37 -0400 Subject: [PATCH 09/13] test job without steps --- .github/workflows/hermetic_library_generation.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index e5c0aaa97f..784d8bfe59 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -32,8 +32,6 @@ jobs: runs-on: ubuntu-latest outputs: REPO_FULL_NAME: ${{ env.REPO_FULL_NAME }} - steps: - - run: echo "" >> /dev/null # no op - we just need to declare the env var as output library_generation: # skip pull requests coming from a forked repository if: needs.prepare-repo-full-name.outputs.REPO_FULL_NAME == github.repository From 0ff66895df77b744f63b04be3bcf0aacfdb18f93 Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Thu, 22 Aug 2024 13:21:14 -0400 Subject: [PATCH 10/13] cleaner no-op step --- .github/workflows/hermetic_library_generation.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index 784d8bfe59..14adc4e290 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -32,6 +32,8 @@ jobs: runs-on: ubuntu-latest outputs: REPO_FULL_NAME: ${{ env.REPO_FULL_NAME }} + steps: + - run: exit 0 # no op - we just need to declare the env var as output library_generation: # skip pull requests coming from a forked repository if: needs.prepare-repo-full-name.outputs.REPO_FULL_NAME == github.repository From cb0d36e3c585cf2790c8fc4027cda01400b9a2df Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Mon, 26 Aug 2024 10:12:08 -0400 Subject: [PATCH 11/13] rewording --- .github/workflows/hermetic_library_generation.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index 14adc4e290..809b185608 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -22,8 +22,8 @@ env: REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} jobs: - # This step is meant to inline the jobs.if of the next step "library_generation" as - # an env var to avoid injection vulnerabilities. + # This step is meant to inline the the repo full name env var in the `jobs.if` entry + # of the next step "library_generation". # Unfortunately, we can't directly reference `env` in jobs.if # (see https://github.com/actions/runner/issues/2372) # The chosen workaround is to declare an intermediate step that will output the env var From c405e991733cde582eca3c40d8293bc511529207 Mon Sep 17 00:00:00 2001 From: Owl Bot Date: Mon, 26 Aug 2024 14:14:47 +0000 Subject: [PATCH 12/13] =?UTF-8?q?=F0=9F=A6=89=20Updates=20from=20OwlBot=20?= =?UTF-8?q?post-processor?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 645ea12695..85a00dc9b9 100644 --- a/README.md +++ b/README.md @@ -57,13 +57,13 @@ implementation 'com.google.cloud:google-cloud-bigtable' If you are using Gradle without BOM, add this to your dependencies: ```Groovy -implementation 'com.google.cloud:google-cloud-bigtable:2.42.0' +implementation 'com.google.cloud:google-cloud-bigtable:2.43.0' ``` If you are using SBT, add this to your dependencies: ```Scala -libraryDependencies += "com.google.cloud" % "google-cloud-bigtable" % "2.42.0" +libraryDependencies += "com.google.cloud" % "google-cloud-bigtable" % "2.43.0" ``` @@ -542,7 +542,7 @@ Java is a registered trademark of Oracle and/or its affiliates. [kokoro-badge-link-5]: http://storage.googleapis.com/cloud-devrel-public/java/badges/java-bigtable/java11.html [stability-image]: https://img.shields.io/badge/stability-stable-green [maven-version-image]: https://img.shields.io/maven-central/v/com.google.cloud/google-cloud-bigtable.svg -[maven-version-link]: https://central.sonatype.com/artifact/com.google.cloud/google-cloud-bigtable/2.42.0 +[maven-version-link]: https://central.sonatype.com/artifact/com.google.cloud/google-cloud-bigtable/2.43.0 [authentication]: https://github.com/googleapis/google-cloud-java#authentication [auth-scopes]: https://developers.google.com/identity/protocols/oauth2/scopes [predefined-iam-roles]: https://cloud.google.com/iam/docs/understanding-roles#predefined_roles From 7525b575c6bf954471f11481fc29acc92fe162e8 Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Mon, 26 Aug 2024 11:48:46 -0400 Subject: [PATCH 13/13] simplify conditional generation --- .../hermetic_library_generation.yaml | 20 +++++-------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index 809b185608..51a087f8e5 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -20,24 +20,10 @@ on: env: HEAD_REF: ${{ github.head_ref }} REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} + GITHUB_REPOSITORY: ${{ github.repository }} jobs: - # This step is meant to inline the the repo full name env var in the `jobs.if` entry - # of the next step "library_generation". - # Unfortunately, we can't directly reference `env` in jobs.if - # (see https://github.com/actions/runner/issues/2372) - # The chosen workaround is to declare an intermediate step that will output the env var - prepare-repo-full-name: - name: Prepare environment - runs-on: ubuntu-latest - outputs: - REPO_FULL_NAME: ${{ env.REPO_FULL_NAME }} - steps: - - run: exit 0 # no op - we just need to declare the env var as output library_generation: - # skip pull requests coming from a forked repository - if: needs.prepare-repo-full-name.outputs.REPO_FULL_NAME == github.repository - needs: [prepare-repo-full-name] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -48,6 +34,10 @@ jobs: shell: bash run: | set -ex + if [[ "${GITHUB_REPOSITORY}" != "${REPO_FULL_NAME}" ]]; then + echo "This PR comes from a fork. Generation will be skipped" + exit 0 + fi [ -z "$(git config user.email)" ] && git config --global user.email "cloud-java-bot@google.com" [ -z "$(git config user.name)" ] && git config --global user.name "cloud-java-bot" bash .github/scripts/hermetic_library_generation.sh \