Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CI] - workflow maintenance #2984

Open
wants to merge 21 commits into
base: master
Choose a base branch
from
Open

Conversation

RomarQ
Copy link
Contributor

@RomarQ RomarQ commented Sep 30, 2024

What does it do?

What important points reviewers should know?

Is there something left for follow-up PRs?

What alternative implementations were considered?

Are there relevant PRs or issues in other repositories (Substrate, Polkadot, Frontier, Cumulus)?

What value does it bring to the blockchain users?

@RomarQ RomarQ added B0-silent Changes should not be mentioned in any release notes ci Continuous Integration pipeline D2-notlive PR doesn't change runtime code (so can't be audited) labels Sep 30, 2024
Copy link
Contributor

github-actions bot commented Sep 30, 2024

WASM runtime size check:

Compared to target branch

Moonbase runtime: 2280 KB (no changes) ✅

Moonbeam runtime: 2236 KB (no changes) ✅

Moonriver runtime: 2256 KB (no changes) ✅

Compared to latest release (runtime-3200)

Moonbase runtime: 2280 KB (+320 KB compared to latest release) ⚠️

Moonbeam runtime: 2236 KB (+312 KB compared to latest release) ⚠️

Moonriver runtime: 2256 KB (+332 KB compared to latest release) ⚠️

Copy link
Contributor

github-actions bot commented Sep 30, 2024

Coverage Report

@@                        Coverage Diff                        @@
##           master   noandrea-workflow-maintenance      +/-   ##
=================================================================
+ Coverage   79.01%                          79.12%   +0.11%     
- Files         305                             303       -2     
- Lines       88446                           88015     -431     
=================================================================
- Hits        69878                           69637     -241     
- Misses      18568                           18378     -190     
Files Changed Coverage
/pallets/erc20-xcm-bridge/src/erc20_trap.rs 68.18% (+68.18%) 🔼
/pallets/erc20-xcm-bridge/src/xcm_holding_ext.rs 94.74% (-5.26%) 🔽
/pallets/moonbeam-foreign-assets/src/lib.rs 69.06% (-1.34%) 🔽
/pallets/moonbeam-xcm-benchmarks/src/weights/generic.rs 4.26% (+1.67%) 🔼
/pallets/moonbeam-xcm-benchmarks/src/weights/mod.rs 13.61% (+3.66%) 🔼
/pallets/xcm-transactor/src/lib.rs 89.44% (-0.02%) 🔽
/precompiles/gmp/src/lib.rs 15.87% (+1.65%) 🔼
/precompiles/gmp/src/mock.rs 26.53% (+6.06%) 🔼
/precompiles/xtokens/src/lib.rs 95.70% (-0.44%) 🔽
/precompiles/xtokens/src/mock.rs 77.88% (+24.50%) 🔼
/precompiles/xtokens/src/tests.rs 99.51% (+0.08%) 🔼
/primitives/xcm/src/origin_conversion.rs 61.76% (-28.04%) 🔽
/runtime/common/src/migrations.rs 72.09% (+5.99%) 🔼
/runtime/common/src/weights/pallet_assets.rs 8.94% (+0.06%) 🔼
/runtime/common/src/weights/pallet_parachain_staking.rs 19.59% (+0.23%) 🔼
/runtime/common/src/weights/pallet_xcm.rs 0.00% (-5.23%) 🔽
/runtime/moonbase/src/lib.rs 52.54% (-0.01%) 🔽
/runtime/moonbase/tests/integration_test.rs 99.37% (-0.01%) 🔽
/runtime/moonbase/tests/xcm_mock/parachain.rs 60.85% (-0.22%) 🔽
/runtime/moonbeam/src/lib.rs 46.70% (-0.08%) 🔽
/runtime/moonbeam/src/xcm_config.rs 47.47% (+2.02%) 🔼
/runtime/moonbeam/tests/integration_test.rs 99.37% (-0.01%) 🔽
/runtime/moonbeam/tests/xcm_mock/parachain.rs 60.85% (-0.22%) 🔽
/runtime/moonriver/src/lib.rs 46.92% (-0.08%) 🔽
/runtime/moonriver/tests/integration_test.rs 99.35% (-0.01%) 🔽
/runtime/moonriver/tests/xcm_mock/parachain.rs 61.57% (-0.22%) 🔽
/runtime/moonriver/tests/xcm_tests.rs 99.93% (-0.01%) 🔽

Coverage generated Thu Oct 17 10:10:35 UTC 2024

@noandrea noandrea added the D9-needsaudit👮 PR contains changes to fund-managing logic that should be properly reviewed and externally audited label Oct 23, 2024
@vanhauser-thc
Copy link

@RomarQ should this PR strengthen the security of the github actions? if so, how? (besides the repository content being set to read-only)

@RomarQ
Copy link
Contributor Author

RomarQ commented Oct 30, 2024

@RomarQ should this PR strengthen the security of the github actions? if so, how? (besides the repository content being set to read-only)

@noandrea and @pLabarta are the ones working on the CI/CD improvements. To properly strengthen it, the continuous delivery jobs need to be moved to another repository without self-hosted runners.

@noandrea
Copy link
Collaborator

@vanhauser-thc this pr focus on limiting the permissions of the github token used by the runners and limiting the use of self-hosted runners to the minimum.

@vanhauser-thc
Copy link

@noandrea

If I understand this correctly:
lazy-loading-tests and zombie_upgrade_test use secrets and allow being triggered from PRs from forked repositories.

twiggy could be used to write messages to a PR - not a huge security impact though.

@RomarQ
Copy link
Contributor Author

RomarQ commented Nov 4, 2024

@noandrea

If I understand this correctly: lazy-loading-tests and zombie_upgrade_test use secrets and allow being triggered from PRs from forked repositories.

twiggy could be used to write messages to a PR - not a huge security impact though.

It is nothing related to any test component. It is just a combination of how github workflows can get triggered and with the fact that we use self-hosted runners. You can find more info here: https://www.synacktiv.com/en/publications/github-actions-exploitation-self-hosted-runners

@vanhauser-thc
Copy link

@noandrea
If I understand this correctly: lazy-loading-tests and zombie_upgrade_test use secrets and allow being triggered from PRs from forked repositories.
twiggy could be used to write messages to a PR - not a huge security impact though.

It is nothing related to any test component. It is just a combination of how github workflows can get triggered and with the fact that we use self-hosted runners. You can find more info here: https://www.synacktiv.com/en/publications/github-actions-exploitation-self-hosted-runners

I know. I am pointing out though what issues are likely still present after merging this PR which tries to restrict what workflows can do.

@RomarQ RomarQ marked this pull request as ready for review November 7, 2024 10:11
@RomarQ RomarQ requested review from a team as code owners November 7, 2024 10:11
Copy link
Collaborator

@crystalin crystalin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good, but I have some questions about the GHA instances and about the versioning of the docker images

@@ -19,8 +19,9 @@ jobs:
####### Check files and formatting #######

set-tags:
runs-on:
labels: bare-metal
runs-on: ubuntu-latest
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We used to rely on bare-metal for coverage as it required a lot of computation (for compiling rust with coverage data IIRC). Is it intended to move it back default instances ?


jobs:
####### Building binaries #######

build-binary:
runs-on: bare-metal
runs-on: ubuntu-latest
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it intended ?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might make the wholme process a lot slower

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is intended, a default runner provider better isolation and the job is part of the release process, and therefore is a relatively rare event

@@ -14,7 +14,9 @@ on:
jobs:
####### Building binaries #######
setup-scripts:
runs-on: bare-metal
runs-on: ubuntu-latest
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see the reply above

@@ -2,7 +2,7 @@
#
# Requires to run from repository root and to copy the binary in the build folder (part of the release workflow)

FROM docker.io/library/ubuntu:20.04 AS builder
FROM debian:stable AS builder
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using stable mean that the version might change and introduce failure at some point.
I'm not sure if it is better than specifying a version that we manually update every 2 years when we have time to test it

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

across the MBF organization, there are different versions of docker images involved in running/testing/... the moonbeam binary, and changing a version in one repository usually causes other processes to break. The change aims to have a consistent version of the image across repositories, and to keep using an up-to-date version (without being bleeding-edge) of the build images. The stable release do not changes very often, around every 2y afaik

crystalin
crystalin previously approved these changes Nov 9, 2024
@noandrea
Copy link
Collaborator

@noandrea

If I understand this correctly: lazy-loading-tests and zombie_upgrade_test use secrets and allow being triggered from PRs from forked repositories.

twiggy could be used to write messages to a PR - not a huge security impact though.

on the repository configuration (admin interface) we have setup that pr from forks need to be approved and also any changes to pr requires a new authorization.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
B0-silent Changes should not be mentioned in any release notes ci Continuous Integration pipeline D2-notlive PR doesn't change runtime code (so can't be audited) D9-needsaudit👮 PR contains changes to fund-managing logic that should be properly reviewed and externally audited
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants