From 662afec1d115ad694acbaf869bdb6e24cc98e96c Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> Date: Wed, 30 Oct 2024 01:32:17 +0100 Subject: [PATCH 1/4] doc: add an example for using the keytype ed25519 when using DKIM & Rspamd (#4243) --- target/bin/rspamd-dkim | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/target/bin/rspamd-dkim b/target/bin/rspamd-dkim index 689aa7d5..b376271b 100755 --- a/target/bin/rspamd-dkim +++ b/target/bin/rspamd-dkim @@ -55,6 +55,10 @@ ${ORANGE}EXAMPLES${RESET} ${LWHITE}setup config dkim domain example.com${RESET} Generate the DKIM key for a different domain (example.com). + ${LWHITE}setup config dkim keytype ed25519 domain edward.com selector elliptic-test${RESET} + Generate the DKIM key using the ED25519 elliptic curve for the domain + edward.com and the selector elliptic-test. + ${ORANGE}EXIT STATUS${RESET} Exit status is 0 if command was successful. If wrong arguments are provided or arguments contain errors, the script will exit early with a non-zero exit status. From e6bd0b0a0932f11c60541322e769f3d10b711552 Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Fri, 1 Nov 2024 14:11:33 +1300 Subject: [PATCH 2/4] ci(pr-docs): Acquire metadata from context (#4244) The metadata needed is available via context, prefer this approach instead. --- .github/workflows/docs-preview-deploy.yml | 29 ++++++++++++++++++---- .github/workflows/docs-preview-prepare.yml | 17 +------------ 2 files changed, 25 insertions(+), 21 deletions(-) diff --git a/.github/workflows/docs-preview-deploy.yml b/.github/workflows/docs-preview-deploy.yml index 7c924f86..37b5464e 100644 --- a/.github/workflows/docs-preview-deploy.yml +++ b/.github/workflows/docs-preview-deploy.yml @@ -16,14 +16,20 @@ jobs: preview: name: 'Deploy Preview' runs-on: ubuntu-22.04 - if: ${{ github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' }} + # Requires a PR event triggered `docs-preview-prepare.yml` workflow run that was successful + ensure the head SHA belongs to an associated PR: + if: | + ${{ + github.event.workflow_run.conclusion == 'success' + && github.event.workflow_run.event == 'pull_request' + && contains(github.event.workflow_run.pull_requests.*.head.sha, github.event.workflow_run.head_sha) + }} steps: # ======================== # # Restore workflow context # # ======================== # - # Retrieve the artifact uploaded from `docs-preview-prepare.yml` workflow run that triggered this deployment + # Retrieve the build artifact uploaded from the `docs-preview-prepare.yml` workflow run (that triggered this deployment workflow): - name: 'Download build artifact' uses: actions/download-artifact@v4 with: @@ -34,8 +40,18 @@ jobs: - name: 'Extract build artifact' run: tar -xf artifact.tar.zst - - name: 'Restore preserved ENV' - run: cat pr.env >> "${GITHUB_ENV}" + # The `workflow_run` metadata contains an array of `pull_requests`, get the `workflow_run` equivalent of `github.event.pull_request.number`. + # There should only be one PR item in the array, verify that it shares the same `head_sha` (latest commit of PR). + - name: 'Get PR number' + env: + head_sha: ${{ github.event.workflow_run.head_sha }} + pull_requests: ${{ tojson(github.event.workflow_run.pull_requests) }} + run: | + PR_NUMBER=$(jq -r '[.[] | select(.head.sha == "${{ env.head_sha }}")][0].number' <<< '${{ env.pull_requests }}') + { + echo "PR_NUMBER=${PR_NUMBER}" + echo 'PR_HEADSHA=${{ env.head_sha }}' + } >> "${GITHUB_ENV}" # ==================== # # Deploy preview build # @@ -61,6 +77,9 @@ jobs: env: NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }} NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }} + # Keep these two ENV in sync with the `docs-preview-prepare.yml` workflow: + BUILD_DIR: docs/site + NETLIFY_SITE_PREFIX: pullrequest-${{ env.PR_NUMBER }} with: github-token: ${{ secrets.GITHUB_TOKEN }} # Fail the job early if credentials are missing / invalid: @@ -71,7 +90,7 @@ jobs: # Only publish the contents of the build output: publish-dir: ${{ env.BUILD_DIR }} # Custom message for the deploy log on Netlify: - deploy-message: '${{ env.PR_TITLE }} (PR #${{ env.PR_NUMBER }} @ commit: ${{ env.PR_HEADSHA }})' + deploy-message: 'Preview Build (PR #${{ env.PR_NUMBER }} @ commit: ${{ env.PR_HEADSHA }})' # Note: Split workflow incorrectly references latest primary branch commit for deployment. # Assign to non-default Deployment Environment for better management: diff --git a/.github/workflows/docs-preview-prepare.yml b/.github/workflows/docs-preview-prepare.yml index cee5562a..bf7ad135 100644 --- a/.github/workflows/docs-preview-prepare.yml +++ b/.github/workflows/docs-preview-prepare.yml @@ -54,23 +54,8 @@ jobs: # ============================== # # Minimize risk of upload failure by bundling files to a single compressed archive (tar + zstd). - # Bundles build dir and env file into a compressed archive, nested file paths will be preserved. - name: 'Prepare artifact for transfer' - env: - # As a precaution, reference this value by an interpolated ENV var; - # instead of interpolating user controllable input directly in the shell script.. - # https://github.com/docker-mailserver/docker-mailserver/issues/2332#issuecomment-998326798 - PR_TITLE: ${{ github.event.pull_request.title }} - run: | - # Save ENV for transfer - { - echo "PR_HEADSHA=${{ github.event.pull_request.head.sha }}" - echo "PR_NUMBER=${{ github.event.pull_request.number }}" - echo "PR_TITLE=${PR_TITLE}" - echo "NETLIFY_SITE_PREFIX=${{ env.NETLIFY_SITE_PREFIX }}" - echo "BUILD_DIR=${{ env.BUILD_DIR }}" - } >> pr.env - tar --zstd -cf artifact.tar.zst pr.env ${{ env.BUILD_DIR }} + run: tar --zstd -cf artifact.tar.zst ${{ env.BUILD_DIR }} - name: 'Upload artifact for workflow transfer' uses: actions/upload-artifact@v4 From dc0a6403b22536ce72841b48636abf7a254a4dbd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Nov 2024 09:21:53 +1300 Subject: [PATCH 3/4] chore(deps): Bump anchore/scan-action from 5.1.0 to 5.2.0 (#4249) Bumps [anchore/scan-action](https://github.com/anchore/scan-action) from 5.1.0 to 5.2.0. - [Release notes](https://github.com/anchore/scan-action/releases) - [Changelog](https://github.com/anchore/scan-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/anchore/scan-action/compare/v5.1.0...v5.2.0) --- updated-dependencies: - dependency-name: anchore/scan-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/generic_vulnerability-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/generic_vulnerability-scan.yml b/.github/workflows/generic_vulnerability-scan.yml index 42fa30f3..b96d8ea5 100644 --- a/.github/workflows/generic_vulnerability-scan.yml +++ b/.github/workflows/generic_vulnerability-scan.yml @@ -55,7 +55,7 @@ jobs: provenance: false - name: 'Run the Anchore Grype scan action' - uses: anchore/scan-action@v5.1.0 + uses: anchore/scan-action@v5.2.0 id: scan with: image: mailserver-testing:ci From 0ff9c0132a8914d6756739a7a3b085e47870b93d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 5 Nov 2024 00:50:08 +0100 Subject: [PATCH 4/4] ci: Revise `docs-preview-deploy.yml` (#4247) - Fixes the `if` condition that was recently adjusted. - Better documents concerns for maintainers to be aware of. - Reference the `pull_requests` ENV at runtime instead of embedding content into the script via GHA context expression. This is a better practice which prevent exploits from untrusted inputs (_notably for context objects which might introduce new fields in future_). --------- Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com> --- .github/workflows/docs-preview-deploy.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docs-preview-deploy.yml b/.github/workflows/docs-preview-deploy.yml index 37b5464e..02dc4183 100644 --- a/.github/workflows/docs-preview-deploy.yml +++ b/.github/workflows/docs-preview-deploy.yml @@ -17,12 +17,12 @@ jobs: name: 'Deploy Preview' runs-on: ubuntu-22.04 # Requires a PR event triggered `docs-preview-prepare.yml` workflow run that was successful + ensure the head SHA belongs to an associated PR: + # NOTE: A multi-line `if` GHA expression must avoid wrapping with `${{ }}`, otherwise it is unintentionally parsed as a string: + # https://github.com/nikitastupin/pwnhub/blob/main/writings/if-condition.md if: | - ${{ - github.event.workflow_run.conclusion == 'success' - && github.event.workflow_run.event == 'pull_request' - && contains(github.event.workflow_run.pull_requests.*.head.sha, github.event.workflow_run.head_sha) - }} + github.event.workflow_run.conclusion == 'success' + && github.event.workflow_run.event == 'pull_request' + && contains(github.event.workflow_run.pull_requests.*.head.sha, github.event.workflow_run.head_sha) steps: # ======================== # @@ -42,12 +42,14 @@ jobs: # The `workflow_run` metadata contains an array of `pull_requests`, get the `workflow_run` equivalent of `github.event.pull_request.number`. # There should only be one PR item in the array, verify that it shares the same `head_sha` (latest commit of PR). + # NOTE: Careful when using GHA context expressions that may have untrusted input here. The expressions are evaluated before the script content itself is run: + # https://github.com/docker-mailserver/docker-mailserver/pull/4247#discussion_r1827067475 - name: 'Get PR number' env: head_sha: ${{ github.event.workflow_run.head_sha }} pull_requests: ${{ tojson(github.event.workflow_run.pull_requests) }} run: | - PR_NUMBER=$(jq -r '[.[] | select(.head.sha == "${{ env.head_sha }}")][0].number' <<< '${{ env.pull_requests }}') + PR_NUMBER=$(jq -r '[.[] | select(.head.sha == "${{ env.head_sha }}")][0].number' <<< "${pull_requests}") { echo "PR_NUMBER=${PR_NUMBER}" echo 'PR_HEADSHA=${{ env.head_sha }}'