From e76811875887a8600ed226e1c63e9f6fd234474f Mon Sep 17 00:00:00 2001 From: Roger Zhang Date: Fri, 27 Mar 2026 12:30:25 -0700 Subject: [PATCH 1/3] replace 3rd party action --- .github/workflows/check-binaries.yml | 35 ++++++++++++++-------------- .github/workflows/release.yml | 16 ++++++------- 2 files changed, 25 insertions(+), 26 deletions(-) diff --git a/.github/workflows/check-binaries.yml b/.github/workflows/check-binaries.yml index fd12637c..2377cf32 100644 --- a/.github/workflows/check-binaries.yml +++ b/.github/workflows/check-binaries.yml @@ -23,11 +23,11 @@ jobs: with: ref: main - name: Download latest release - uses: robinraju/release-downloader@v1.10 - with: - latest: true - fileName: 'aws-lambda-rie*' - out-file-path: "bin" + run: | + mkdir -p bin + gh release download --pattern 'aws-lambda-rie*' --dir bin + env: + GH_TOKEN: ${{ github.token }} - name: Run check for vulnerabilities id: check-binaries run: | @@ -70,16 +70,15 @@ jobs: - if: always() && steps.save-output.outputs.report_contents name: Create GitHub Issue indicating vulnerabilities id: create-issue - uses: dacbd/create-issue-action@main - with: - token: ${{ github.token }} - title: | - CVEs found in latest RIE release - body: | - ### CVEs found in latest RIE release - ``` - ${{ steps.save-output.outputs.report_contents }} - ``` - - #### Are these resolved by building with the latest patch version of Go (${{ steps.check-new-version.outputs.latest_version }})?: - > **${{ steps.save-new-version.outputs.fixed }}** + run: | + gh issue create \ + --title "CVEs found in latest RIE release" \ + --body "### CVEs found in latest RIE release + \`\`\` + ${{ steps.save-output.outputs.report_contents }} + \`\`\` + + #### Are these resolved by building with the latest patch version of Go (${{ steps.check-new-version.outputs.latest_version }})?: + > **${{ steps.save-new-version.outputs.fixed }}**" + env: + GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bb3c5146..533864d1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -33,12 +33,12 @@ jobs: make tests-with-docker make integ-tests - name: Release - uses: softprops/action-gh-release@v2 - with: - name: Release ${{ github.event.inputs.releaseVersion }} - tag_name: v${{ github.event.inputs.releaseVersion }} - body: ${{ github.event.inputs.releaseBody }} - files: | - bin/aws-lambda-rie - bin/aws-lambda-rie-arm64 + run: | + gh release create "v${{ github.event.inputs.releaseVersion }}" \ + --title "Release ${{ github.event.inputs.releaseVersion }}" \ + --notes "${{ github.event.inputs.releaseBody }}" \ + bin/aws-lambda-rie \ + bin/aws-lambda-rie-arm64 \ bin/aws-lambda-rie-x86_64 + env: + GH_TOKEN: ${{ github.token }} From 6e8727e0ec34442be24688d55223b6adc06a2ec8 Mon Sep 17 00:00:00 2001 From: Roger Zhang Date: Fri, 27 Mar 2026 12:37:45 -0700 Subject: [PATCH 2/3] remove unnecessary env --- .github/workflows/integ-tests.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/integ-tests.yml b/.github/workflows/integ-tests.yml index 46c487c1..ae35c712 100644 --- a/.github/workflows/integ-tests.yml +++ b/.github/workflows/integ-tests.yml @@ -12,16 +12,12 @@ permissions: jobs: go-tests: runs-on: ubuntu-latest - environment: - name: integ-tests steps: - uses: actions/checkout@v4 - name: run go tests run: make tests-with-docker integ-tests-x86: runs-on: ubuntu-latest - environment: - name: integ-tests steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 @@ -31,8 +27,6 @@ jobs: run: make integ-tests-with-docker-x86-64 integ-tests-arm64: runs-on: ubuntu-latest - environment: - name: integ-tests steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 @@ -42,8 +36,6 @@ jobs: run: make integ-tests-with-docker-arm64 integ-tests-old: runs-on: ubuntu-latest - environment: - name: integ-tests steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 From 377f3119a3fb859a634d9cc0975c6ed6181df933 Mon Sep 17 00:00:00 2001 From: Roger Zhang Date: Fri, 27 Mar 2026 12:45:28 -0700 Subject: [PATCH 3/3] bump action version, feedback --- .github/dependabot.yml | 6 ++++++ .github/workflows/check-binaries.yml | 17 +++++++++++------ .github/workflows/integ-tests.yml | 14 +++++++------- .github/workflows/release.yml | 12 +++++++----- 4 files changed, 31 insertions(+), 18 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..5ace4600 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/check-binaries.yml b/.github/workflows/check-binaries.yml index 2377cf32..66fa2ba3 100644 --- a/.github/workflows/check-binaries.yml +++ b/.github/workflows/check-binaries.yml @@ -15,11 +15,11 @@ jobs: report_contents: ${{ steps.save-output.outputs.report_contents }} steps: - name: Setup python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: '3.11' - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: ref: main - name: Download latest release @@ -61,12 +61,14 @@ jobs: name: Save outputs for the check with the latest build id: save-new-version run: | - if [ "${{ steps.check-new-version.outcome }}" == "failure" ]; then + if [ "${CHECK_OUTCOME}" == "failure" ]; then fixed="No" else fixed="Yes" fi echo "fixed=$fixed" >> "$GITHUB_OUTPUT" + env: + CHECK_OUTCOME: ${{ steps.check-new-version.outcome }} - if: always() && steps.save-output.outputs.report_contents name: Create GitHub Issue indicating vulnerabilities id: create-issue @@ -75,10 +77,13 @@ jobs: --title "CVEs found in latest RIE release" \ --body "### CVEs found in latest RIE release \`\`\` - ${{ steps.save-output.outputs.report_contents }} + ${REPORT_CONTENTS} \`\`\` - #### Are these resolved by building with the latest patch version of Go (${{ steps.check-new-version.outputs.latest_version }})?: - > **${{ steps.save-new-version.outputs.fixed }}**" + #### Are these resolved by building with the latest patch version of Go (${LATEST_VERSION})?: + > **${FIXED}**" env: GH_TOKEN: ${{ github.token }} + REPORT_CONTENTS: ${{ steps.save-output.outputs.report_contents }} + LATEST_VERSION: ${{ steps.check-new-version.outputs.latest_version }} + FIXED: ${{ steps.save-new-version.outputs.fixed }} diff --git a/.github/workflows/integ-tests.yml b/.github/workflows/integ-tests.yml index ae35c712..d67f9406 100644 --- a/.github/workflows/integ-tests.yml +++ b/.github/workflows/integ-tests.yml @@ -13,14 +13,14 @@ jobs: go-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: run go tests run: make tests-with-docker integ-tests-x86: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@v6 + - uses: actions/setup-python@v6 with: python-version: '3.11' - name: run integration tests @@ -28,8 +28,8 @@ jobs: integ-tests-arm64: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@v6 + - uses: actions/setup-python@v6 with: python-version: '3.11' - name: run integration tests @@ -37,8 +37,8 @@ jobs: integ-tests-old: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@v6 + - uses: actions/setup-python@v6 with: python-version: '3.11' - name: run integration tests diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 533864d1..1b809a2e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,11 +19,11 @@ jobs: environment: Release runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: ref: main - name: Set up python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: '3.11' - name: Build @@ -34,11 +34,13 @@ jobs: make integ-tests - name: Release run: | - gh release create "v${{ github.event.inputs.releaseVersion }}" \ - --title "Release ${{ github.event.inputs.releaseVersion }}" \ - --notes "${{ github.event.inputs.releaseBody }}" \ + gh release create "v${RELEASE_VERSION}" \ + --title "Release ${RELEASE_VERSION}" \ + --notes "${RELEASE_BODY}" \ bin/aws-lambda-rie \ bin/aws-lambda-rie-arm64 \ bin/aws-lambda-rie-x86_64 env: GH_TOKEN: ${{ github.token }} + RELEASE_VERSION: ${{ github.event.inputs.releaseVersion }} + RELEASE_BODY: ${{ github.event.inputs.releaseBody }}