Skip to content

releases: publish nightly builds of dev#12137

Merged
Maffooch merged 59 commits intodevfrom
nightly-dev-build
Apr 30, 2025
Merged

releases: publish nightly builds of dev#12137
Maffooch merged 59 commits intodevfrom
nightly-dev-build

Conversation

@valentijnscholten
Copy link
Copy Markdown
Member

@valentijnscholten valentijnscholten commented Mar 30, 2025
edited
Loading

This PR uses the existing building blocks in our workflows to push a nightly build of the dev branch.

This is useful to user who want to test fixes or new features only available in dev. Or users who just want to run of dev which is very stable for Defect Dojo.

This PR also changes github.event.inputs.xxxx to inputs.xxx. This cost me a lot of time as the old input uses values provided in the UI when starting the workflow ignoring any values provided by the workflow files themselves.

I also tried to publish a nightly bugfix release. But the bugfix branch doesn't get its own version number. We have to decide if it's useful to publish these builds since we have a weekly release cadence for bugfix.

valentijnscholten_defectdojo-django general _ Docker Hub

@github-actions github-actions bot removed the docker label Mar 30, 2025
@valentijnscholten valentijnscholten marked this pull request as ready for review March 31, 2025 15:21
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity bot commented Mar 31, 2025

DryRun Security Summary

GitHub Actions workflow updates for DefectDojo release processes reveal security vulnerabilities related to secrets handling, input validation, hardcoded credentials, cron scheduling, and workflow permissions.

Expand for full summary

Summary: GitHub Actions workflow patches for DefectDojo release processes, focusing on syntax updates, input handling, and release automation across multiple workflow files.

Security Findings:

  1. Secrets Handling Vulnerability

    • Multiple workflows use secrets: inherit, which could potentially expose more secrets than necessary
    • Risk: Unintended secret exposure across workflows

  2. Input Validation Weakness

    • Limited or no explicit input validation across workflows
    • Potential risk of input injection or unexpected behavior
    • Specifically noted in workflows like release-x-manual-merge-container-digests.yml

  3. Hardcoded Environment Variables

    • Several workflows use predefined, static Git usernames and email addresses
    • While not a critical vulnerability, could potentially be exploited if credentials are predictable

  4. Cron Syntax Issue

    • In release-nightly-dev.yml, the cron expression appears incorrect
    • Could lead to unexpected or missed scheduled builds

  5. Workflow Permission Considerations

    • No explicit workflow permissions defined in most workflows
    • Relies on default GitHub Actions permissions
    • Potential risk of overly broad access

View PR in the DryRun Dashboard.

@Maffooch Maffooch self-requested a review March 31, 2025 15:58
mtesauro
mtesauro approved these changes Apr 1, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch added this to the 2.46.0 milestone Apr 7, 2025
@Maffooch Maffooch merged commit 339874b into dev Apr 30, 2025
79 checks passed
@Maffooch Maffooch deleted the nightly-dev-build branch April 30, 2025 23:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@dogboat dogboat dogboat approved these changes

@Maffooch Maffooch Maffooch approved these changes

+1 more reviewer

@hblankenship hblankenship hblankenship approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.46.0

Development

Successfully merging this pull request may close these issues.

5 participants

@valentijnscholten @mtesauro @dogboat @hblankenship @Maffooch