Add cspVersion parameter to CSPs #4
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Copy CSP Blocks | |
| # Upon merge of a PR in which 'server/configs/application.properties' was updated... | |
| # this workflow copies the Content Security Policy blocks to other repos, as marked by: | |
| # start: "## START OF CSP COPY BLOCK" or "## START OF CSP ENFORCE BLOCK" (to only copy and uncomment the csp.enforce section) | |
| # end: "## END OF CSP COPY BLOCK" or "## END OF CSP ENFORCE BLOCK" | |
| # note: if the contents between the start/end have not changed, it's a no-op, and no PRs are pushed to the target repos | |
| on: | |
| pull_request: | |
| types: | |
| - closed | |
| branches: | |
| - develop | |
| paths: | |
| - server/configs/application.properties | |
| jobs: | |
| copy_csp: | |
| if: github.event.pull_request.merged | |
| runs-on: ubuntu-latest | |
| outputs: | |
| csp_report_on: ${{ steps.cspvars.outputs.csp_report_on }} | |
| csp_enforce_off: ${{ steps.cspvars.outputs.csp_enforce_off }} | |
| csp_enforce_on: ${{ steps.cspvars.outputs.csp_enforce_on }} | |
| steps: | |
| - name: Check Out Code | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Copy CSP blocks into vars | |
| id: cspvars | |
| run: | | |
| # report block, fixing report-uri for non-teamcity usage: | |
| CSP_REPORT_ON=$( awk '/## END OF CSP REPORT BLOCK/{p=0};p;/## START OF CSP REPORT BLOCK/{p=1}' server/configs/application.properties |\ | |
| sed 's/report-uri /report-uri https:\/\/www.labkey.org/' ) | |
| # enforce block, fixing report-uri for non-teamcity usage, removing useLocalBuild comment, adding upgrade-insecure-requests: | |
| CSP_ENFORCE_OFF=$( awk '/## END OF CSP ENFORCE BLOCK/{p=0};p;/## START OF CSP ENFORCE BLOCK/{p=1}' server/configs/application.properties |\ | |
| sed 's/^#useLocalBuild#/# /' |\ | |
| sed '/base-uri/a# upgrade-insecure-requests ;\\' |\ | |
| sed 's/report-uri /report-uri https:\/\/www.labkey.org/' ) | |
| # enforce block, uncommented: | |
| CSP_ENFORCE_ON=$( awk '/## END OF CSP ENFORCE BLOCK/{p=0};p;/## START OF CSP ENFORCE BLOCK/{p=1}' server/configs/application.properties |\ | |
| sed 's/^#useLocalBuild#//' |\ | |
| sed '/base-uri/a\ upgrade-insecure-requests ;\\' |\ | |
| sed 's/report-uri /report-uri https:\/\/www.labkey.org/' ) | |
| # use unique delimiter for multiline outputs: https://stackoverflow.com/a/74256214 | |
| delimiter="$(openssl rand -hex 8)" | |
| echo "csp_report_on<<${delimiter}" >> "${GITHUB_OUTPUT}" | |
| echo "$CSP_REPORT_ON" >> "${GITHUB_OUTPUT}" | |
| echo "${delimiter}" >> "${GITHUB_OUTPUT}" | |
| echo "csp_enforce_off<<${delimiter}" >> "${GITHUB_OUTPUT}" | |
| echo "$CSP_ENFORCE_OFF" >> "${GITHUB_OUTPUT}" | |
| echo "${delimiter}" >> "${GITHUB_OUTPUT}" | |
| echo "csp_enforce_on<<${delimiter}" >> "${GITHUB_OUTPUT}" | |
| echo "$CSP_ENFORCE_ON" >> "${GITHUB_OUTPUT}" | |
| echo "${delimiter}" >> "${GITHUB_OUTPUT}" | |
| paste_csp_into_chef_repo: | |
| needs: copy_csp | |
| runs-on: ubuntu-latest | |
| env: | |
| csp_report_on: ${{ needs.copy_csp.outputs.csp_report_on }} | |
| csp_enforce_off: ${{ needs.copy_csp.outputs.csp_enforce_off }} | |
| ap_file: "cookbooks/lk_appserver/templates/default/application.properties.erb" | |
| steps: | |
| - name: Check out repo | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: LabKey/syseng-chef-server | |
| token: ${{ secrets.TERRAFORM_TOKEN }} | |
| - name: Paste Into Chef Repo | |
| run: | | |
| printf "\n\n>>>> $ap_file before I change it: <<<<\n\n" | |
| cat $ap_file | |
| printf "\n\n>>>> caught csp_report_on env var: <<<<\n$csp_report_on n\n" | |
| printf "\n\n>>>> caught csp_enforce_off env var: <<<<\n$csp_enforce_off n\n" | |
| printf "\n\n>>>> replacing csp blocks in $ap_file <<<<\n\n" | |
| python <<EOF | |
| import os, sys, re | |
| fname = os.environ.get('ap_file') | |
| os.rename(fname, fname + '.orig') | |
| with open(fname + '.orig', 'r') as fin, open(fname, 'w') as fout: | |
| data = fin.read() | |
| data = re.sub(r'(## START OF CSP REPORT BLOCK \\(DO NOT CHANGE THIS TEXT\\)).*?(## END OF CSP REPORT BLOCK \\(DO NOT CHANGE THIS TEXT\\))', | |
| r'\1\n' + | |
| os.environ.get('csp_report_on') + | |
| r'\n\2', data, flags=re.DOTALL) | |
| data = re.sub(r'(## START OF CSP ENFORCE BLOCK \\(DO NOT CHANGE THIS TEXT\\)).*?(## END OF CSP ENFORCE BLOCK \\(DO NOT CHANGE THIS TEXT\\))', | |
| r'\1\n' + | |
| os.environ.get('csp_enforce_off') + | |
| r'\n\2', data, flags=re.DOTALL) | |
| fout.write(data) | |
| EOF | |
| printf "\n\n>>>> updated $ap_file: <<<<\n\n" | |
| cat $ap_file | |
| git status | |
| if [[ $(git diff-index --name-only HEAD |grep application.properties) ]]; then | |
| printf "\n\n>>>> changes detected, so updating chef recipe version <<<<\n\n" | |
| NEW_VER=$(grep version cookbooks/lk_appserver/metadata.rb |cut -d '"' -f 2 |awk -F. -v OFS=. '{$NF += 1 ; print}') | |
| sed -i 's/\(version.*\)".*"/\1"'$NEW_VER'"/' cookbooks/lk_appserver/metadata.rb | |
| sed -i 's/\(lk_appserver .*\)([0-9]*.[0-9]*.[0-9]*)/\1('$NEW_VER')/' Berksfile.lock | |
| fi | |
| - name: Create Pull Request | |
| id: cpr | |
| uses: peter-evans/create-pull-request@v7 | |
| with: | |
| token: ${{ secrets.TERRAFORM_TOKEN }} | |
| branch: fb_update_csp_per_${{ github.sha }} | |
| title: "update CSP to match commit ${{ github.sha }}" | |
| body: "update CSP to match commit ${{ github.sha }}" | |
| commit-message: "update CSP to match commit ${{ github.sha }}" | |
| add-paths: | | |
| ${{ env.ap_file }} | |
| cookbooks/lk_appserver/metadata.rb | |
| Berksfile.lock | |
| - name: Check outputs | |
| if: ${{ steps.cpr.outputs.pull-request-number }} | |
| run: | | |
| echo "Chef Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" >> $GITHUB_STEP_SUMMARY | |
| paste_csp_into_dockerfile_repo: | |
| needs: copy_csp | |
| runs-on: ubuntu-latest | |
| env: | |
| csp_report_on: ${{ needs.copy_csp.outputs.csp_report_on }} | |
| csp_enforce_on: ${{ needs.copy_csp.outputs.csp_enforce_on }} | |
| ap_file: "application.properties" | |
| steps: | |
| - name: Check out repo | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: Labkey/Dockerfile | |
| token: ${{ secrets.TERRAFORM_TOKEN }} | |
| - name: Paste Into Dockerfile Repo | |
| run: | | |
| printf "\n\n>>>> $ap_file before I change it: <<<<\n\n" | |
| cat $ap_file | |
| printf "\n\n>>>> caught csp_report_on env var: <<<<\n$csp_report_on n\n" | |
| printf "\n\n>>>> caught csp_enforce_on env var:<<<<\n$csp_enforce_on\n\n" | |
| printf "\n\n>>>> replacing csp block in $ap_file <<<<\n\n" | |
| python <<EOF | |
| import os, sys, re | |
| fname = os.environ.get('ap_file') | |
| os.rename(fname, fname + '.orig') | |
| with open(fname + '.orig', 'r') as fin, open(fname, 'w') as fout: | |
| data = fin.read() | |
| data = re.sub(r'(## START OF CSP REPORT BLOCK \\(DO NOT CHANGE THIS TEXT\\)).*?(## END OF CSP REPORT BLOCK \\(DO NOT CHANGE THIS TEXT\\))', | |
| r'\1\n' + | |
| os.environ.get('csp_report_on') + | |
| r'\n\2', data, flags=re.DOTALL) | |
| data = re.sub(r'(## START OF CSP ENFORCE BLOCK \\(DO NOT CHANGE THIS TEXT\\)).*?(## END OF CSP ENFORCE BLOCK \\(DO NOT CHANGE THIS TEXT\\))', | |
| r'\1\n' + | |
| os.environ.get('csp_enforce_on') + | |
| r'\n\2', data, flags=re.DOTALL) | |
| fout.write(data) | |
| EOF | |
| printf "\n\n>>>> updated $ap_file: <<<<\n\n" | |
| cat $ap_file | |
| - name: Create Pull Request | |
| id: cpr | |
| uses: peter-evans/create-pull-request@v7 | |
| with: | |
| token: ${{ secrets.TERRAFORM_TOKEN }} | |
| branch: fb_update_csp_per_${{ github.sha }} | |
| title: "update CSP to match commit ${{ github.sha }}" | |
| body: "update CSP to match commit ${{ github.sha }}" | |
| commit-message: "update CSP to match commit ${{ github.sha }}" | |
| add-paths: ${{ env.ap_file }} | |
| - name: Check outputs | |
| if: ${{ steps.cpr.outputs.pull-request-number }} | |
| run: | | |
| echo "Dockerfile Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" >> $GITHUB_STEP_SUMMARY |