Skip to content

feat(ci): compare lists of packages to deliver to testing repositories (#3206) #3209

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
mushroomempires wants to merge 14 commits into
base: dev-25.10.x
Choose a base branch
from
Draft

feat(ci): compare lists of packages to deliver to testing repositories (#3206) #3209

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
5b8dc2a
#3206 manual backport
mushroomempires Mar 2, 2026
a352a0e
redirect rpm delivery + testing stability + disabled deb delivery [to…
mushroomempires Mar 2, 2026
5ff8442
fix
mushroomempires Mar 2, 2026
e3d1490
fix missing parenthesis
mushroomempires Mar 2, 2026
9c3de54
fix yaml-lint
mushroomempires Mar 3, 2026
dc40533
remove testing
mushroomempires Mar 3, 2026
95bd89e
fix inconsistencies
mushroomempires Mar 3, 2026
f8319ce
fix inconsistencies
mushroomempires Mar 3, 2026
54d8e83
remove test-rpm-standard
mushroomempires Mar 3, 2026
3c357aa
fix?
mushroomempires Mar 3, 2026
525864b
Merge branch 'dev-25.10.x' into MON-195796-dev-25.10.x
mushroomempires Mar 5, 2026
607e9d8
Merge branch 'dev-25.10.x' of https://github.com/centreon/centreon-co…
mushroomempires Mar 12, 2026
22ba814
to revert
mushroomempires Mar 12, 2026
7e251c5
fix
mushroomempires Mar 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 24 additions & 1 deletion .github/actions/deb-delivery/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,15 @@ runs:
with:
distrib: ${{ inputs.distrib }}

- name: Store list of restored DEB packages in text file
if: inputs.stability == 'testing'
shell: bash
run: |
ls ./*.deb > deb_packages.txt

- name: Publish DEBs
id: publish-debs
shell: bash
run: |
FILES="*.deb"

Expand Down Expand Up @@ -85,7 +93,8 @@ runs:
ROOT_REPO_PATH_SUFFIX="-internal"
fi

ROOT_REPO_PATH="${ROOT_REPO_PATH_PREFIX}standard${ROOT_REPO_PATH_SUFFIX}"
ROOT_REPO_PATH="${ROOT_REPO_PATH_PREFIX}kdu${ROOT_REPO_PATH_SUFFIX}"
echo "root_repo_path=$ROOT_REPO_PATH" >> $GITHUB_OUTPUT

# Cleanup (equivalent to --sync-deletes done with RPMs)
# This is a workaround the fact that jfrog cli does not allow upload
Expand Down Expand Up @@ -133,4 +142,18 @@ runs:
done

curl -H "Authorization: Bearer ${{ inputs.artifactory_token }}" -X POST "https://centreon.jfrog.io/artifactory/api/deb/reindex/$ROOT_REPO_PATH?async=0"

Comment on lines 59 to +145

@aikido-pr-checks aikido-pr-checks Bot Mar 13, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Template Injection in GitHub Workflows Action - critical severity
A GitHub Actions workflow step contains a template expression referencing potentially untrusted GitHub context fields. This may allow malicious input to be injected into shell commands, leading to a potential supply chain attack as tokens of the CI/CD pipeline could be exfiltrated.

Show fix

Remediation: Review your GitHub Actions workflow for any template expressions that interpolate GitHub context values, especially those ending with unsafe suffixes such as 'body', 'title', 'email', 'head_ref', etc. Sanitize or validate these inputs before use, or refactor the workflow to avoid directly embedding untrusted data in shell commands.

Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info

- name: Compare list of files with delivered files
if: inputs.stability == 'testing'
shell: bash
run: |
DELIVERED_PACKAGES=$(jf rt search "${{ steps.publish-debs.outputs.root_repo_path }}/pool/${{ inputs.version }}/${{ inputs.stability }}/${{ inputs.release_type }}/${{ inputs.module_name }}/*.deb" | jq -r '.[].path | split("/") | last')
ORIGINAL_PACKAGES=$(cat deb_packages.txt)
MISSING_PACKAGES=0
for PACKAGE in $ORIGINAL_PACKAGES; do
if ! echo "$DELIVERED_PACKAGES" | grep -q "$(basename "$PACKAGE")"; then
echo "::error::[${{ github.job }}] Package $PACKAGE was not successfully delivered or found in repository."
MISSING_PACKAGES=1
fi
done
[[ $MISSING_PACKAGES -eq 0 ]] || exit 1
Comment on lines +149 to +159

@aikido-pr-checks aikido-pr-checks Bot Mar 13, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Template Injection in GitHub Workflows Action - critical severity
A GitHub Actions workflow step contains a template expression referencing potentially untrusted GitHub context fields. This may allow malicious input to be injected into shell commands, leading to a potential supply chain attack as tokens of the CI/CD pipeline could be exfiltrated.

Show fix

Remediation: Review your GitHub Actions workflow for any template expressions that interpolate GitHub context values, especially those ending with unsafe suffixes such as 'body', 'title', 'email', 'head_ref', etc. Sanitize or validate these inputs before use, or refactor the workflow to avoid directly embedding untrusted data in shell commands.

Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info

26 changes: 25 additions & 1 deletion .github/actions/rpm-delivery/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,12 @@ runs:
JF_URL: https://packages.centreon.com
JF_ACCESS_TOKEN: ${{ inputs.artifactory_token }}

- name: Store list of restored RPM packages in text file
if: inputs.stability == 'testing'
shell: bash
run: |
ls ./*.rpm > rpm_packages.txt

- if: inputs.delivery_type == 'feature'
name: Create a rpm feature repository
shell: bash
Expand Down Expand Up @@ -100,6 +106,7 @@ runs:

- name: Publish RPMs
shell: bash
id: publish-rpms
env:
JF_URL: https://packages.centreon.com
JF_ACCESS_TOKEN: ${{ inputs.artifactory_token }}
Expand Down Expand Up @@ -157,8 +164,9 @@ runs:
elif [[ "${{ inputs.is_cloud }}" == "true" ]]; then
ROOT_REPO_PATH="rpm-standard-internal"
else
ROOT_REPO_PATH="rpm-standard"
ROOT_REPO_PATH="test-rpm-standard"
fi
echo "root_repo_path=$ROOT_REPO_PATH" >> $GITHUB_OUTPUT

for ARCH in "noarch" "x86_64"; do
if [[ "${{ inputs.release_type }}" == "hotfix" || "${{ inputs.release_type }}" == "release" ]]; then
Expand All @@ -174,3 +182,19 @@ runs:

curl -H "Authorization: Bearer ${{ env.JF_ACCESS_TOKEN }}" -X POST "${{ env.JF_URL }}/artifactory/api/yum/$ROOT_REPO_PATH?path=/${{ inputs.version }}/${{ inputs.distrib }}/${REINDEX_STABILITY}/$ARCH&async=1"
done

- name: Compare list of files with delivered files
if: inputs.stability == 'testing'
shell: bash
run: |
DELIVERED_PACKAGES=$(jf rt search "${{ steps.publish-rpms.outputs.root_repo_path }}/${{ inputs.version }}/${{ inputs.distrib }}/${{ inputs.stability }}-${{ inputs.release_type }}/${{ inputs.module_name }}/*.rpm" | jq -r '.[].path | split("/") | last')
ORIGINAL_PACKAGES=$(cat rpm_packages.txt)
MISSING_PACKAGES=0
for PACKAGE in $ORIGINAL_PACKAGES; do
if ! echo "$DELIVERED_PACKAGES" | grep -q "$(basename "$PACKAGE")"; then
echo "::error::[${{ github.job }}] Package $PACKAGE was not successfully delivered or found in repository."
MISSING_PACKAGES=1
continue
fi
done
[[ $MISSING_PACKAGES -eq 0 ]] || exit 1
Comment on lines +189 to +200

@aikido-pr-checks aikido-pr-checks Bot Mar 13, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Template Injection in GitHub Workflows Action - critical severity
A GitHub Actions workflow step contains a template expression referencing potentially untrusted GitHub context fields. This may allow malicious input to be injected into shell commands, leading to a potential supply chain attack as tokens of the CI/CD pipeline could be exfiltrated.

Show fix

Remediation: Review your GitHub Actions workflow for any template expressions that interpolate GitHub context values, especially those ending with unsafe suffixes such as 'body', 'title', 'email', 'head_ref', etc. Sanitize or validate these inputs before use, or refactor the workflow to avoid directly embedding untrusted data in shell commands.

Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info

2 changes: 1 addition & 1 deletion .github/workflows/get-environment.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -320,7 +320,7 @@ jobs:
case /(^develop$)|(^dev-\d{2}\.\d{2}\.x$)|(^prepare-release-cloud.*)/.test(refName):
console.log(`Matched 'unstable' pattern`);
return 'unstable';
case /(^release.+)|(^hotfix.+)/.test(refName):
case /(^release.+)|(^MON-195796-dev-25.10.x$)|(^hotfix.+)/.test(refName):
console.log(`Matched 'testing' pattern`);
return 'testing';
case /(^master$)|(^\d{2}\.\d{2}\.x$)/.test(refName):
Expand Down
Loading