Skip to content

Create ngrok.yaml #137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
bio-boris wants to merge 25 commits into from
Closed

Create ngrok.yaml #137

Show file tree
Hide file tree
Changes from 22 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
233708b
Update controller.py
bio-boris Oct 7, 2022
7661ea9
Create pr_build.yml
bio-boris Oct 7, 2022
cd61d0c
Create release-main.yml
bio-boris Oct 7, 2022
c701a39
Create manual-build.yml
bio-boris Oct 7, 2022
f7df4ac
Update db.py
bio-boris Oct 7, 2022
83d5d04
Merge pull request #126 from kbase/add_logs
bio-boris Oct 7, 2022
7d47f2f
Update controller.py
bio-boris Oct 10, 2022
21139c6
Update db.py
bio-boris Oct 10, 2022
4b7def5
Merge pull request #130 from kbase/remove-logging
bio-boris Oct 10, 2022
7642a0c
Update pr_build.yml
bio-boris Dec 27, 2022
75769b3
Update controller.py
bio-boris Mar 2, 2024
2054b0d
Update controller.py
bio-boris Mar 2, 2024
923f87a
Merge conflict
Mar 2, 2024
40ceff7
Create ngrok.yaml
bio-boris Apr 5, 2024
d97e25c
Update ngrok.yaml
bio-boris Apr 5, 2024
c159b7a
Update ngrok.yaml
bio-boris Apr 5, 2024
00d7cef
Update ngrok.yaml
bio-boris Apr 5, 2024
4a8a110
Update ngrok.yaml
bio-boris Apr 5, 2024
7ce771c
Update ngrok.yaml
bio-boris Apr 5, 2024
76f78a4
Update ngrok.yaml
bio-boris Apr 5, 2024
72603d0
Update ngrok.yaml
bio-boris Feb 4, 2025
a5e17dc
Update ngrok.yaml
bio-boris Apr 1, 2026
bf30554
Modify GitHub Actions workflow for token inspection
bio-boris Apr 1, 2026
131849d
Delete .github/workflows/pr_build.yml
bio-boris Apr 1, 2026
b5cde07
Change trigger from workflow_dispatch to pull_request
bio-boris Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions .github/workflows/ngrok.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
name: CI
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

File/workflow naming is confusing: the workflow file is ngrok.yaml, but it configures an upterm session and the workflow name is the generic CI. Consider renaming the workflow/file (or adjusting the content) so it reflects its purpose and doesn't look like the primary CI pipeline.

Suggested change
name: CI
name: Upterm debug session (ngrok)

Copilot uses AI. Check for mistakes.
on: [push]
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow is triggered on every push, but it sets up an interactive upterm session. That effectively creates a remote shell on every push and can be used to exfiltrate data; it should be restricted (e.g., workflow_dispatch only, and ideally limited to specific branches/actors).

Suggested change
on: [push]
on:
workflow_dispatch:

Copilot uses AI. Check for mistakes.
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actions/checkout@v2 is outdated and has known issues compared to newer major versions. Update to the current supported actions/checkout@v4 unless there is a compatibility constraint.

Suggested change
- uses: actions/checkout@v2
- uses: actions/checkout@v4

Copilot uses AI. Check for mistakes.

- name: Setup upterm session
uses: lhotari/action-upterm@v1
env:
KBASE_CI_TOKEN: ${{ secrets.KBASE_CI_TOKEN }}
KBASE_CI_TOKEN2: ${{ secrets.KBASE_CI_TOKEN2 }}
KBASE_TEST_TOKEN: ${{ secrets.KBASE_TEST_TOKEN }}
KBASE_TEST_TOKEN2: ${{ secrets.KBASE_TEST_TOKEN2 }}
KBASE_BOT_TOKEN_CI: ${{ secrets.KBASE_BOT_TOKEN_CI }}
KBASE_BOT_USER_CI: ${{ secrets.KBASE_BOT_USER_CI }}
GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The steps: list is not indented correctly. The - uses: actions/checkout@v2 item (and following steps) must be nested under steps: (e.g., additional indentation) or the workflow YAML will be invalid and fail to load.

Suggested change
- uses: actions/checkout@v2
- name: Setup upterm session
uses: lhotari/action-upterm@v1
env:
KBASE_CI_TOKEN: ${{ secrets.KBASE_CI_TOKEN }}
KBASE_CI_TOKEN2: ${{ secrets.KBASE_CI_TOKEN2 }}
KBASE_TEST_TOKEN: ${{ secrets.KBASE_TEST_TOKEN }}
KBASE_TEST_TOKEN2: ${{ secrets.KBASE_TEST_TOKEN2 }}
KBASE_BOT_TOKEN_CI: ${{ secrets.KBASE_BOT_TOKEN_CI }}
KBASE_BOT_USER_CI: ${{ secrets.KBASE_BOT_USER_CI }}
GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
- uses: actions/checkout@v2
- name: Setup upterm session
uses: lhotari/action-upterm@v1
env:
KBASE_CI_TOKEN: ${{ secrets.KBASE_CI_TOKEN }}
KBASE_CI_TOKEN2: ${{ secrets.KBASE_CI_TOKEN2 }}
KBASE_TEST_TOKEN: ${{ secrets.KBASE_TEST_TOKEN }}
KBASE_TEST_TOKEN2: ${{ secrets.KBASE_TEST_TOKEN2 }}
KBASE_BOT_TOKEN_CI: ${{ secrets.KBASE_BOT_TOKEN_CI }}
KBASE_BOT_USER_CI: ${{ secrets.KBASE_BOT_USER_CI }}
GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Multiple long-lived secrets are exported into the environment of an interactive session. This materially increases the risk of secret exposure; avoid injecting these secrets into the upterm session (or switch to short-lived credentials / only provide the minimum required secret(s)).

Suggested change
GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}

Copilot uses AI. Check for mistakes.
8 changes: 4 additions & 4 deletions .github/workflows/pr_build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ jobs:
name: '${{ github.event.repository.name }}'
tags: pr-${{ github.event.number }},latest-rc
secrets: inherit
trivy-scans:
if: (github.base_ref == 'develop' || github.base_ref == 'main' || github.base_ref == 'master' ) && github.event.pull_request.merged == false
uses: kbase/.github/.github/workflows/reusable_trivy-scans.yml@main
secrets: inherit
# trivy-scans:
# if: (github.base_ref == 'develop' || github.base_ref == 'main' || github.base_ref == 'master' ) && github.event.pull_request.merged == false
# uses: kbase/.github/.github/workflows/reusable_trivy-scans.yml@main
# secrets: inherit
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trivy scanning job has been fully commented out, which removes vulnerability scanning from PR builds. If this is intended to be temporary, consider gating it behind an explicit opt-out input/label or fixing the underlying failure so the scans still run for eligible PRs.

Suggested change
# trivy-scans:
# if: (github.base_ref == 'develop' || github.base_ref == 'main' || github.base_ref == 'master' ) && github.event.pull_request.merged == false
# uses: kbase/.github/.github/workflows/reusable_trivy-scans.yml@main
# secrets: inherit
trivy-scans:
if: (github.base_ref == 'develop' || github.base_ref == 'main' || github.base_ref == 'master') && github.event.pull_request.merged == false && !contains(join(github.event.pull_request.labels.*.name, ','), 'skip-trivy-scan')
uses: kbase/.github/.github/workflows/reusable_trivy-scans.yml@main
secrets: inherit

Copilot uses AI. Check for mistakes.
Loading