Add a job that runs diagnostics #144
Conversation
jsf9k
added
the
improvement
jsf9k
requested review from
dav3r,
felddy,
jasonodoom and
mcdonnnj
as code owners
There was a problem hiding this comment.
Thanks for setting up this PR! I'm on board but I have two thoughts for consideration. First, would you please add this to the list of commented out dependencies in the Dependabot configuration:
skeleton-generic/.github/dependabot.yml
Lines 15 to 21 in bd762fe
Second, and this one is more a thought, what do you think about adding a
needs block to the lint job and requiring the diagnostics job? Even if the diagnostics job does not currently leverage the ability for the Action to fail depending on the GitHub status, if the job has a problem while running that will generally not be a good sign for the lint job to run.
jsf9k
force-pushed
the
improvement/add-github-status-jazz
branch
from
f708ed4
to
f88b9d2
Compare
|
jsf9k
changed the title
jsf9k
force-pushed
the
improvement/add-github-status-jazz
branch
from
a737e7d
to
e49ee95
Compare
|
@jsf9k Would you please update the PR description to include the addition of the |
I just did it while you were writing your comment. Synchronicity! |
|
I'm don't think that the step-security/harden-runner Action is covering the I created commit 2bddec4 to test this hypothesis. |
Oh, right. Each job is its own runner so it would need to be used in every job you want hardened. |
Looks like I was correct, so I'll leave the commit in place. |
@jsf9k Yes, please see my comment in #144 (comment). Also you may want to mention that the |
Please see commit 69dd196. |
mcdonnnj
added
the
kraken 🐙
github-merge-queue
bot
removed this pull request from the merge queue due to a conflict with the base branch
This action is added in a separate "diagnostics" job. As configured it will never fail, but it will print out the status of the various GitHub components. This information will sometimes be useful when determining why builds fail after the fact. Co-authored-by: Mark Feldhousen <mark.feldhousen@gwe.cisa.dhs.gov> Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com>
Even though the diagnostics job is not currently configured to fail due to the GitHub status, it is still true that if the job is unable to run that does not bode well for the lint job's successful execution. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com>
This can be useful when debugging why a GH Action failed. Co-authored-by: felddy <mark.feldhousen@gwe.cisa.dhs.gov>
This GH Action is being configured to run in audit mode. It should warn us if an Action is reaching out to an unexpected web address, overwriting source code, etc. Co-authored-by: felddy <mark.feldhousen@gwe.cisa.dhs.gov>
This task can only provide coverage for the job that contains it.
We need a reminder add the step-security/harden-runner action at the top of every job. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com>
mcdonnnj
force-pushed
the
improvement/add-github-status-jazz
branch
from
69dd196
to
bb81ec3
Compare
The CodeQL workflow already had a harden-runner task, but it's good to agree everywhere with the changes we made to the build.yml workflow in cisagov/skeleton-generic#144.
The CodeQL workflow already had a harden-runner task, but it's good to agree everywhere with the changes we made to the build.yml workflow in cisagov/skeleton-generic#144.
It's good to agree everywhere with the changes we made to the build.yml workflow in cisagov/skeleton-generic#144.
It's good to agree everywhere with the changes we made to the build.yml workflow in cisagov/skeleton-generic#144.
🗣 Description
This pull request adds a
diagnosticsjob that runs these GitHub Actions:💭 Motivation and context
The GitHub Actions listed above are added in a separate
diagnosticsjob. As configured the actions should never fail, but they will print out information that may be useful in diagnosing workflow failures.🧪 Testing
All automated tests pass. I verified that the expected outputs appear in the GitHub Actions log (also here).
✅ Pre-approval checklist