From a357be8033bfbde296151783efca5c6aa9db7f9e Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Mon, 1 Jun 2026 09:40:22 +0200 Subject: [PATCH 1/8] Modify merge gate to ensure run-fast-tests --- .github/workflows/checks.yml | 2 +- .github/workflows/merge-gate.yml | 3 ++- doc/changes/unreleased.md | 4 ++++ exasol/toolbox/templates/github/workflows/merge-gate.yml | 1 + 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 3ce5eddb5..2609419b9 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Checks on: diff --git a/.github/workflows/merge-gate.yml b/.github/workflows/merge-gate.yml index 7b53ab8b2..2dde9d8b0 100644 --- a/.github/workflows/merge-gate.yml +++ b/.github/workflows/merge-gate.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Merge-Gate on: @@ -66,6 +66,7 @@ jobs: # If you need additional jobs to be part of the merge gate, add them below needs: - run-fast-checks + - run-fast-tests - run-slow-checks - merge-gate-extension # To prevent accidentally merges, this step is required. For more details diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md index fb4737052..2f382b921 100644 --- a/doc/changes/unreleased.md +++ b/doc/changes/unreleased.md @@ -1,3 +1,7 @@ # Unreleased ## Summary + +## Refactoring + +* #852: Modified `merge-gate` to ensure `run-fast-tests` succeeds diff --git a/exasol/toolbox/templates/github/workflows/merge-gate.yml b/exasol/toolbox/templates/github/workflows/merge-gate.yml index c738dad1f..738095f75 100644 --- a/exasol/toolbox/templates/github/workflows/merge-gate.yml +++ b/exasol/toolbox/templates/github/workflows/merge-gate.yml @@ -67,6 +67,7 @@ jobs: # If you need additional jobs to be part of the merge gate, add them below needs: - run-fast-checks + - run-fast-tests - run-slow-checks (% if workflow_extension.merge_gate %) - merge-gate-extension From c192f0290dcfed645d066e1de76117cdecc2bdbf Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Mon, 1 Jun 2026 11:21:41 +0200 Subject: [PATCH 2/8] Add workflow_dispatch to periodic-validation.yml --- .github/workflows/periodic-validation.yml | 25 ++++++++++++++++++- doc/changes/unreleased.md | 4 +++ .../features/github_workflows/index.rst | 2 +- .../github/workflows/periodic-validation.yml | 23 +++++++++++++++++ 4 files changed, 52 insertions(+), 2 deletions(-) diff --git a/.github/workflows/periodic-validation.yml b/.github/workflows/periodic-validation.yml index dc1276af8..0df5ef7db 100644 --- a/.github/workflows/periodic-validation.yml +++ b/.github/workflows/periodic-validation.yml @@ -1,28 +1,51 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Periodic-Validation on: schedule: # At 00:00 on Saturday. (https://crontab.guru) - cron: "0 0 * * 6" + workflow_dispatch: jobs: + restrict-to-default-branch: + name: Restrict to Default Branch + runs-on: "ubuntu-24.04" + permissions: + contents: write + pull-requests: write + + steps: + - name: Fail if not running on the default branch + id: check-branch + if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch) + uses: actions/github-script@v8 + with: + script: | + core.setFailed('Not running on the default branch. github.ref is ${{ github.ref }}') + run-fast-checks: name: Fast Checks uses: ./.github/workflows/checks.yml + needs: + - restrict-to-default-branch permissions: contents: read run-fast-tests: name: Fast Tests uses: ./.github/workflows/fast-tests.yml + needs: + - restrict-to-default-branch permissions: contents: read run-slow-checks: name: Slow Checks uses: ./.github/workflows/slow-checks.yml + needs: + - restrict-to-default-branch secrets: inherit permissions: contents: read diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md index 2f382b921..d7fee9607 100644 --- a/doc/changes/unreleased.md +++ b/doc/changes/unreleased.md @@ -2,6 +2,10 @@ ## Summary +## Feature + +* #854: Added `workflow_dispatch` for `periodic-validation.yml` + ## Refactoring * #852: Modified `merge-gate` to ensure `run-fast-tests` succeeds diff --git a/doc/user_guide/features/github_workflows/index.rst b/doc/user_guide/features/github_workflows/index.rst index 225df16f8..0e699d9a8 100644 --- a/doc/user_guide/features/github_workflows/index.rst +++ b/doc/user_guide/features/github_workflows/index.rst @@ -308,7 +308,7 @@ coverage to Sonar for an overall report. .. literalinclude:: ../../../../exasol/toolbox/templates/github/workflows/periodic-validation.yml :language: yaml :start-at: schedule: - :end-at: - cron: "0 0 * * 6" + :end-at: workflow_dispatch: .. mermaid:: diff --git a/exasol/toolbox/templates/github/workflows/periodic-validation.yml b/exasol/toolbox/templates/github/workflows/periodic-validation.yml index ff0734e86..68f5b6038 100644 --- a/exasol/toolbox/templates/github/workflows/periodic-validation.yml +++ b/exasol/toolbox/templates/github/workflows/periodic-validation.yml @@ -5,23 +5,46 @@ on: schedule: # At 00:00 on Saturday. (https://crontab.guru) - cron: "0 0 * * 6" + workflow_dispatch: jobs: + restrict-to-default-branch: + name: Restrict to Default Branch + runs-on: "(( os_version ))" + permissions: + contents: write + pull-requests: write + + steps: + - name: Fail if not running on the default branch + id: check-branch + if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch) + uses: actions/github-script@v8 + with: + script: | + core.setFailed('Not running on the default branch. github.ref is ${{ github.ref }}') + run-fast-checks: name: Fast Checks uses: ./.github/workflows/checks.yml + needs: + - restrict-to-default-branch permissions: contents: read run-fast-tests: name: Fast Tests uses: ./.github/workflows/fast-tests.yml + needs: + - restrict-to-default-branch permissions: contents: read run-slow-checks: name: Slow Checks uses: ./.github/workflows/slow-checks.yml + needs: + - restrict-to-default-branch secrets: inherit permissions: contents: read From c11818915d251bf65695f961768aa00e28052c2f Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Tue, 2 Jun 2026 08:46:31 +0200 Subject: [PATCH 3/8] Alter periodic-validation --- .github/workflows/periodic-validation.yml | 12 ++++++------ .../github/workflows/periodic-validation.yml | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/periodic-validation.yml b/.github/workflows/periodic-validation.yml index 0df5ef7db..ce5596131 100644 --- a/.github/workflows/periodic-validation.yml +++ b/.github/workflows/periodic-validation.yml @@ -13,17 +13,17 @@ jobs: name: Restrict to Default Branch runs-on: "ubuntu-24.04" permissions: - contents: write - pull-requests: write + contents: read steps: - name: Fail if not running on the default branch id: check-branch if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch) - uses: actions/github-script@v8 - with: - script: | - core.setFailed('Not running on the default branch. github.ref is ${{ github.ref }}') + env: + CURRENT_BRANCH: ${{ github.ref }} + run: | + echo "Not running on the default branch. Current ref is: $CURRENT_BRANCH" + exit 1 run-fast-checks: name: Fast Checks diff --git a/exasol/toolbox/templates/github/workflows/periodic-validation.yml b/exasol/toolbox/templates/github/workflows/periodic-validation.yml index 68f5b6038..6b3b9dc33 100644 --- a/exasol/toolbox/templates/github/workflows/periodic-validation.yml +++ b/exasol/toolbox/templates/github/workflows/periodic-validation.yml @@ -12,17 +12,17 @@ jobs: name: Restrict to Default Branch runs-on: "(( os_version ))" permissions: - contents: write - pull-requests: write + contents: read steps: - name: Fail if not running on the default branch id: check-branch if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch) - uses: actions/github-script@v8 - with: - script: | - core.setFailed('Not running on the default branch. github.ref is ${{ github.ref }}') + env: + CURRENT_BRANCH: ${{ github.ref }} + run: | + echo "Not running on the default branch. Current ref is: $CURRENT_BRANCH" + exit 1 run-fast-checks: name: Fast Checks From b4b81366bb67979ce417cbf73fc6a898f2a95d13 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Tue, 2 Jun 2026 08:47:57 +0200 Subject: [PATCH 4/8] Alter dependency-update --- .github/workflows/dependency-update.yml | 11 ++++++----- .../templates/github/workflows/dependency-update.yml | 9 +++++---- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index e36ce8b60..8a6af059f 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Dependency Update on: @@ -26,10 +26,11 @@ jobs: - name: Fail if not running on the default branch id: check-branch if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch) - uses: actions/github-script@v8 - with: - script: | - core.setFailed('Not running on the default branch. github.ref is ${{ github.ref }}') + env: + CURRENT_BRANCH: ${{ github.ref }} + run: | + echo "Not running on the default branch. Current ref is: $CURRENT_BRANCH" + exit 1 - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index fc35e61ea..f13562105 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -25,10 +25,11 @@ jobs: - name: Fail if not running on the default branch id: check-branch if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch) - uses: actions/github-script@v8 - with: - script: | - core.setFailed('Not running on the default branch. github.ref is ${{ github.ref }}') + env: + CURRENT_BRANCH: ${{ github.ref }} + run: | + echo "Not running on the default branch. Current ref is: $CURRENT_BRANCH" + exit 1 - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment From d746af7534e1a76552755c4d87fb6230bf3d5947 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Tue, 2 Jun 2026 09:05:46 +0200 Subject: [PATCH 5/8] Improve some security with zizmor findings --- .github/actions/python-environment/action.yml | 11 ++++++++--- .github/actions/security-issues/action.yml | 11 ++++++++--- .github/workflows/build-and-publish.yml | 4 +++- .github/workflows/cd.yml | 2 +- .github/workflows/check-release-tag.yml | 7 +++++-- .github/workflows/checks.yml | 16 ++++++++++++++++ .github/workflows/ci.yml | 2 +- .github/workflows/dependency-update.yml | 1 + .github/workflows/fast-tests.yml | 3 ++- .github/workflows/gh-pages.yml | 3 ++- .github/workflows/matrix-all.yml | 4 +++- .github/workflows/matrix-exasol.yml | 4 +++- .github/workflows/matrix-python.yml | 4 +++- .github/workflows/pr-merge.yml | 2 +- .github/workflows/report.yml | 3 ++- .github/workflows/test-python-environment.yml | 12 +++++++++--- .workflow-patcher.yml | 1 + doc/changes/unreleased.md | 1 + .../github/workflows/build-and-publish.yml | 2 ++ .../github/workflows/check-release-tag.yml | 5 ++++- .../templates/github/workflows/checks.yml | 16 ++++++++++++++++ .../github/workflows/dependency-update.yml | 1 + .../templates/github/workflows/fast-tests.yml | 2 ++ .../templates/github/workflows/gh-pages.yml | 1 + .../templates/github/workflows/matrix-all.yml | 2 ++ .../templates/github/workflows/matrix-exasol.yml | 2 ++ .../templates/github/workflows/matrix-python.yml | 2 ++ .../templates/github/workflows/report.yml | 1 + .../templates/github/workflows/slow-checks.yml | 2 ++ 29 files changed, 105 insertions(+), 22 deletions(-) diff --git a/.github/actions/python-environment/action.yml b/.github/actions/python-environment/action.yml index 88c311138..2e0ba3559 100644 --- a/.github/actions/python-environment/action.yml +++ b/.github/actions/python-environment/action.yml @@ -45,10 +45,11 @@ runs: - name: Set up Poetry (${{ inputs.poetry-version }}) shell: bash run: | - POETRY_VERSION="${{ inputs.poetry-version }}" "$PYTHON_BINARY" "${{ github.action_path }}/ext/get_poetry.py" + POETRY_VERSION="${INPUTS_POETRY_VERSION}" "$PYTHON_BINARY" "${{ github.action_path }}/ext/get_poetry.py" echo "$HOME/.local/bin" >> $GITHUB_PATH env: PYTHON_BINARY: "python${{ inputs.python-version }}" + INPUTS_POETRY_VERSION: ${{ inputs.poetry-version }} - name: Setup cache variables id: setup-cache-variables @@ -77,16 +78,20 @@ runs: working-directory: ${{ inputs.working-directory }} shell: bash run: | - EXTRAS=$(echo "${{ inputs.extras }}" | tr -d ' ') + EXTRAS=$(echo "${INPUTS_EXTRAS}" | tr -d ' ') if [[ -n "$EXTRAS" ]]; then poetry install --extras "$EXTRAS" else poetry install fi + env: + INPUTS_EXTRAS: ${{ inputs.extras }} - name: Validate Poetry environment working-directory: ${{ inputs.working-directory }} shell: bash run: | poetry run python --version - poetry run python --version | grep "${{ inputs.python-version }}" + poetry run python --version | grep "${INPUTS_PYTHON_VERSION}" + env: + INPUTS_PYTHON_VERSION: ${{ inputs.python-version }} diff --git a/.github/actions/security-issues/action.yml b/.github/actions/security-issues/action.yml index 64e67b470..a8fcc7601 100644 --- a/.github/actions/security-issues/action.yml +++ b/.github/actions/security-issues/action.yml @@ -44,12 +44,16 @@ runs: - name: Create Security Issue Report shell: bash run: | - ${{ inputs.command }} | tee input + ${INPUTS_COMMAND} | tee input + env: + INPUTS_COMMAND: ${{ inputs.command }} - name: Convert Report To Common Input Format shell: bash run: | - tbx security cve convert ${{inputs.format}} < input | tee cves.jsonl + tbx security cve convert ${INPUTS_FORMAT} < input | tee cves.jsonl + env: + INPUTS_FORMAT: ${{inputs.format}} - name: Filter Issues env: @@ -62,9 +66,10 @@ runs: - name: Create Issues env: GH_TOKEN: ${{ inputs.github-token }} + INPUTS_PROJECT: ${{ inputs.project }} shell: bash run: | - tbx security cve create --project "${{ inputs.project }}" < issues.jsonl | tee created.jsonl + tbx security cve create --project "${INPUTS_PROJECT}" < issues.jsonl | tee created.jsonl - name: Define Output Parameter id: get-created-issues diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml index f60b739d9..4b6befafa 100644 --- a/.github/workflows/build-and-publish.yml +++ b/.github/workflows/build-and-publish.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Build & Publish on: @@ -18,6 +18,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 72a414a4f..2703e43b1 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: CD on: diff --git a/.github/workflows/check-release-tag.yml b/.github/workflows/check-release-tag.yml index 78e4161e8..a2e251a8e 100644 --- a/.github/workflows/check-release-tag.yml +++ b/.github/workflows/check-release-tag.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Check Release Tag on: @@ -16,6 +16,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -27,4 +29,5 @@ jobs: - name: Check Release Tag id: check-release-tag # make sure the pushed/created tag matched the project version - run: "[[ `poetry version --short` == ${{ github.ref_name }} ]]" + run: |- + [[ "$(poetry version --short)" == "$GITHUB_REF_NAME" ]] diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 2609419b9..89a4bf141 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -15,6 +15,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -41,6 +43,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -66,6 +70,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -102,6 +108,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -128,6 +136,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -158,6 +168,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -179,6 +191,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -200,6 +214,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a9541cdaf..e44f4b0b5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: CI on: diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index 8a6af059f..157e32fb5 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -21,6 +21,7 @@ jobs: id: check-out-repository uses: actions/checkout@v6 with: + persist-credentials: true fetch-depth: 0 - name: Fail if not running on the default branch diff --git a/.github/workflows/fast-tests.yml b/.github/workflows/fast-tests.yml index 24f775b29..b692b8e38 100644 --- a/.github/workflows/fast-tests.yml +++ b/.github/workflows/fast-tests.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Fast-Tests on: @@ -21,6 +21,7 @@ jobs: id: check-out-repository uses: actions/checkout@v6 with: + persist-credentials: false fetch-depth: 0 - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index c8ab77894..dceb9c487 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Publish Documentation on: @@ -18,6 +18,7 @@ jobs: uses: actions/checkout@v6 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/workflows/matrix-all.yml b/.github/workflows/matrix-all.yml index dfd410fb6..cc8e849b0 100644 --- a/.github/workflows/matrix-all.yml +++ b/.github/workflows/matrix-all.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Build Matrix (All Versions) on: @@ -18,6 +18,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/workflows/matrix-exasol.yml b/.github/workflows/matrix-exasol.yml index c57464a79..bab0ffb02 100644 --- a/.github/workflows/matrix-exasol.yml +++ b/.github/workflows/matrix-exasol.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Build Matrix (Exasol) on: @@ -18,6 +18,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/workflows/matrix-python.yml b/.github/workflows/matrix-python.yml index c991d5a68..c671c36f3 100644 --- a/.github/workflows/matrix-python.yml +++ b/.github/workflows/matrix-python.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Build Matrix (Python) on: @@ -18,6 +18,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/workflows/pr-merge.yml b/.github/workflows/pr-merge.yml index 8dd06a584..9507e2523 100644 --- a/.github/workflows/pr-merge.yml +++ b/.github/workflows/pr-merge.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: PR-Merge on: diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml index 7ff2917b3..d76cfa111 100644 --- a/.github/workflows/report.yml +++ b/.github/workflows/report.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Status Report on: @@ -19,6 +19,7 @@ jobs: uses: actions/checkout@v6 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/workflows/test-python-environment.yml b/.github/workflows/test-python-environment.yml index 2280904d2..f05267e9a 100644 --- a/.github/workflows/test-python-environment.yml +++ b/.github/workflows/test-python-environment.yml @@ -15,16 +15,18 @@ jobs: - uses: actions/checkout@v6 with: fetch-depth: 0 + persist-credentials: false - id: diff + env: + BASE_REF: ${{ github.base_ref || 'main' }} run: | # Always run if the current branch is main - if [ "${{ github.ref_name }}" == "main" ]; then + if [ "${GITHUB_REF_NAME}" == "main" ]; then echo "Branch is main, forcing run." echo "should_run=true" >> $GITHUB_OUTPUT # Otherwise, check if any relevant files were changed in this PR else - BASE_REF=${{ github.base_ref || 'main' }} if git diff --quiet "origin/$BASE_REF...HEAD" -- .github/actions/python-environment; then echo "No changes in .github/actions/python-environment, skipping." echo "should_run=false" >> $GITHUB_OUTPUT @@ -66,6 +68,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -80,8 +84,10 @@ jobs: - name: Validate Python Version id: validate-python-version + env: + PYTHON_VERSION: ${{ matrix.python-version }} run: | poetry run which python poetry run python --version poetry env list - poetry run python --version | grep "${{ matrix.python-version }}" + poetry run python --version | grep "$PYTHON_VERSION" diff --git a/.workflow-patcher.yml b/.workflow-patcher.yml index 20418f095..bdf6d52fe 100644 --- a/.workflow-patcher.yml +++ b/.workflow-patcher.yml @@ -10,4 +10,5 @@ workflows: id: check-out-repository uses: actions/checkout@v6 with: + persist-credentials: false fetch-depth: 0 diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md index d7fee9607..bd039a696 100644 --- a/doc/changes/unreleased.md +++ b/doc/changes/unreleased.md @@ -9,3 +9,4 @@ ## Refactoring * #852: Modified `merge-gate` to ensure `run-fast-tests` succeeds +* #811: Modified workflow templates to not persist-credentials and not provide attacker-controllable inlines diff --git a/exasol/toolbox/templates/github/workflows/build-and-publish.yml b/exasol/toolbox/templates/github/workflows/build-and-publish.yml index 60ded6a57..6c42834b4 100644 --- a/exasol/toolbox/templates/github/workflows/build-and-publish.yml +++ b/exasol/toolbox/templates/github/workflows/build-and-publish.yml @@ -17,6 +17,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/exasol/toolbox/templates/github/workflows/check-release-tag.yml b/exasol/toolbox/templates/github/workflows/check-release-tag.yml index 26bfd7833..ff48d6a69 100644 --- a/exasol/toolbox/templates/github/workflows/check-release-tag.yml +++ b/exasol/toolbox/templates/github/workflows/check-release-tag.yml @@ -15,6 +15,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -26,4 +28,5 @@ jobs: - name: Check Release Tag id: check-release-tag # make sure the pushed/created tag matched the project version - run: "[[ `poetry version --short` == ${{ github.ref_name }} ]]" + run: | + [[ "$(poetry version --short)" == "$GITHUB_REF_NAME" ]] diff --git a/exasol/toolbox/templates/github/workflows/checks.yml b/exasol/toolbox/templates/github/workflows/checks.yml index ea70f6c5c..9d88c6c87 100644 --- a/exasol/toolbox/templates/github/workflows/checks.yml +++ b/exasol/toolbox/templates/github/workflows/checks.yml @@ -14,6 +14,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -40,6 +42,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -65,6 +69,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -101,6 +107,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -127,6 +135,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -157,6 +167,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -178,6 +190,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -199,6 +213,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index f13562105..f24573f54 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -20,6 +20,7 @@ jobs: id: check-out-repository uses: actions/checkout@v6 with: + persist-credentials: true fetch-depth: 0 - name: Fail if not running on the default branch diff --git a/exasol/toolbox/templates/github/workflows/fast-tests.yml b/exasol/toolbox/templates/github/workflows/fast-tests.yml index 39cee71da..c6f03c94f 100644 --- a/exasol/toolbox/templates/github/workflows/fast-tests.yml +++ b/exasol/toolbox/templates/github/workflows/fast-tests.yml @@ -19,6 +19,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/exasol/toolbox/templates/github/workflows/gh-pages.yml b/exasol/toolbox/templates/github/workflows/gh-pages.yml index 6f5d5a150..e7ef3210a 100644 --- a/exasol/toolbox/templates/github/workflows/gh-pages.yml +++ b/exasol/toolbox/templates/github/workflows/gh-pages.yml @@ -17,6 +17,7 @@ jobs: uses: actions/checkout@v6 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/exasol/toolbox/templates/github/workflows/matrix-all.yml b/exasol/toolbox/templates/github/workflows/matrix-all.yml index f5695bde7..c24c2f2db 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-all.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-all.yml @@ -17,6 +17,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/exasol/toolbox/templates/github/workflows/matrix-exasol.yml b/exasol/toolbox/templates/github/workflows/matrix-exasol.yml index 0e3b93f98..18b3b851b 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-exasol.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-exasol.yml @@ -17,6 +17,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/exasol/toolbox/templates/github/workflows/matrix-python.yml b/exasol/toolbox/templates/github/workflows/matrix-python.yml index 9d330d137..062426ff1 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-python.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-python.yml @@ -17,6 +17,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/exasol/toolbox/templates/github/workflows/report.yml b/exasol/toolbox/templates/github/workflows/report.yml index da14a6f0e..ee89f1290 100644 --- a/exasol/toolbox/templates/github/workflows/report.yml +++ b/exasol/toolbox/templates/github/workflows/report.yml @@ -18,6 +18,7 @@ jobs: uses: actions/checkout@v6 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/exasol/toolbox/templates/github/workflows/slow-checks.yml b/exasol/toolbox/templates/github/workflows/slow-checks.yml index b961e19ae..618e1790a 100644 --- a/exasol/toolbox/templates/github/workflows/slow-checks.yml +++ b/exasol/toolbox/templates/github/workflows/slow-checks.yml @@ -28,6 +28,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment From 08ce5ea055785bf61a6bf864461da93537abec32 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Tue, 2 Jun 2026 09:43:05 +0200 Subject: [PATCH 6/8] Restrict secrets sent to report.yml --- .github/workflows/merge-gate.yml | 3 ++- .github/workflows/periodic-validation.yml | 3 ++- .github/workflows/report.yml | 5 +++-- doc/changes/unreleased.md | 2 +- exasol/toolbox/templates/github/workflows/merge-gate.yml | 3 ++- .../templates/github/workflows/periodic-validation.yml | 3 ++- exasol/toolbox/templates/github/workflows/report.yml | 5 +++-- 7 files changed, 15 insertions(+), 9 deletions(-) diff --git a/.github/workflows/merge-gate.yml b/.github/workflows/merge-gate.yml index 2dde9d8b0..c7e00c394 100644 --- a/.github/workflows/merge-gate.yml +++ b/.github/workflows/merge-gate.yml @@ -24,7 +24,8 @@ jobs: - run-fast-checks - run-fast-tests uses: ./.github/workflows/report.yml - secrets: inherit + secrets: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} permissions: contents: read diff --git a/.github/workflows/periodic-validation.yml b/.github/workflows/periodic-validation.yml index ce5596131..574b66c0e 100644 --- a/.github/workflows/periodic-validation.yml +++ b/.github/workflows/periodic-validation.yml @@ -57,6 +57,7 @@ jobs: - run-fast-tests - run-slow-checks uses: ./.github/workflows/report.yml - secrets: inherit + secrets: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} permissions: contents: read diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml index d76cfa111..8e2bc1d91 100644 --- a/.github/workflows/report.yml +++ b/.github/workflows/report.yml @@ -4,6 +4,9 @@ name: Status Report on: workflow_call: + secrets: + SONAR_TOKEN: + required: true jobs: @@ -11,8 +14,6 @@ jobs: runs-on: "ubuntu-24.04" permissions: contents: read - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Check out Repository id: check-out-repository diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md index bd039a696..3c4319881 100644 --- a/doc/changes/unreleased.md +++ b/doc/changes/unreleased.md @@ -9,4 +9,4 @@ ## Refactoring * #852: Modified `merge-gate` to ensure `run-fast-tests` succeeds -* #811: Modified workflow templates to not persist-credentials and not provide attacker-controllable inlines +* #811: Modified workflow templates to not persist-credentials, not provide attacker-controllable inlines, and not pass more secrets to `report.yml` diff --git a/exasol/toolbox/templates/github/workflows/merge-gate.yml b/exasol/toolbox/templates/github/workflows/merge-gate.yml index 738095f75..7e4b28173 100644 --- a/exasol/toolbox/templates/github/workflows/merge-gate.yml +++ b/exasol/toolbox/templates/github/workflows/merge-gate.yml @@ -23,7 +23,8 @@ jobs: - run-fast-checks - run-fast-tests uses: ./.github/workflows/report.yml - secrets: inherit + secrets: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} permissions: contents: read diff --git a/exasol/toolbox/templates/github/workflows/periodic-validation.yml b/exasol/toolbox/templates/github/workflows/periodic-validation.yml index 6b3b9dc33..16a18697c 100644 --- a/exasol/toolbox/templates/github/workflows/periodic-validation.yml +++ b/exasol/toolbox/templates/github/workflows/periodic-validation.yml @@ -56,6 +56,7 @@ jobs: - run-fast-tests - run-slow-checks uses: ./.github/workflows/report.yml - secrets: inherit + secrets: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} permissions: contents: read diff --git a/exasol/toolbox/templates/github/workflows/report.yml b/exasol/toolbox/templates/github/workflows/report.yml index ee89f1290..3a2081bab 100644 --- a/exasol/toolbox/templates/github/workflows/report.yml +++ b/exasol/toolbox/templates/github/workflows/report.yml @@ -3,6 +3,9 @@ name: Status Report on: workflow_call: + secrets: + SONAR_TOKEN: + required: true jobs: @@ -10,8 +13,6 @@ jobs: runs-on: "(( os_version ))" permissions: contents: read - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Check out Repository id: check-out-repository From 77ae7b7462067c15542a446b7cd67ca8433af4c8 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Tue, 2 Jun 2026 10:18:19 +0200 Subject: [PATCH 7/8] Revert to previous state until we can test changes --- .github/actions/security-issues/action.yml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/.github/actions/security-issues/action.yml b/.github/actions/security-issues/action.yml index a8fcc7601..64e67b470 100644 --- a/.github/actions/security-issues/action.yml +++ b/.github/actions/security-issues/action.yml @@ -44,16 +44,12 @@ runs: - name: Create Security Issue Report shell: bash run: | - ${INPUTS_COMMAND} | tee input - env: - INPUTS_COMMAND: ${{ inputs.command }} + ${{ inputs.command }} | tee input - name: Convert Report To Common Input Format shell: bash run: | - tbx security cve convert ${INPUTS_FORMAT} < input | tee cves.jsonl - env: - INPUTS_FORMAT: ${{inputs.format}} + tbx security cve convert ${{inputs.format}} < input | tee cves.jsonl - name: Filter Issues env: @@ -66,10 +62,9 @@ runs: - name: Create Issues env: GH_TOKEN: ${{ inputs.github-token }} - INPUTS_PROJECT: ${{ inputs.project }} shell: bash run: | - tbx security cve create --project "${INPUTS_PROJECT}" < issues.jsonl | tee created.jsonl + tbx security cve create --project "${{ inputs.project }}" < issues.jsonl | tee created.jsonl - name: Define Output Parameter id: get-created-issues From 83a1b9fa7923f387d8a634c00c9095117e59c60d Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Tue, 2 Jun 2026 10:21:13 +0200 Subject: [PATCH 8/8] Switch to github.ref_name --- .github/workflows/check-release-tag.yml | 2 ++ exasol/toolbox/templates/github/workflows/check-release-tag.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/check-release-tag.yml b/.github/workflows/check-release-tag.yml index a2e251a8e..b22a73290 100644 --- a/.github/workflows/check-release-tag.yml +++ b/.github/workflows/check-release-tag.yml @@ -29,5 +29,7 @@ jobs: - name: Check Release Tag id: check-release-tag # make sure the pushed/created tag matched the project version + env: + GITHUB_REF_NAME: ${{ github.ref_name }} run: |- [[ "$(poetry version --short)" == "$GITHUB_REF_NAME" ]] diff --git a/exasol/toolbox/templates/github/workflows/check-release-tag.yml b/exasol/toolbox/templates/github/workflows/check-release-tag.yml index ff48d6a69..eda38dda8 100644 --- a/exasol/toolbox/templates/github/workflows/check-release-tag.yml +++ b/exasol/toolbox/templates/github/workflows/check-release-tag.yml @@ -28,5 +28,7 @@ jobs: - name: Check Release Tag id: check-release-tag # make sure the pushed/created tag matched the project version + env: + GITHUB_REF_NAME: ${{ github.ref_name }} run: | [[ "$(poetry version --short)" == "$GITHUB_REF_NAME" ]]