feat(actions): add slack-notify, install-yq, install-kustomize#5
Merged
Conversation
All composite. Intended to back the new infra deploy workflow in jitsucom/jitsu-cloud-infra. slack-notify is moved here from the in-tree copy in jitsucom/jitsu (existing callers keep their local copy until a later cleanup).
![jitsu-code-review[bot]](https://avatars.githubusercontent.com/in/3391383?s=60&v=4){kind=small}
There was a problem hiding this comment.
Thanks for adding these reusable composite actions. I found two actionable security/correctness issues that should be addressed before merge: both install-yq and slack-notify download an executable from releases/latest without integrity verification, which makes runs non-deterministic and allows execution of an unverified binary.
Address review feedback on PR #5. install-yq now defaults to a pinned v4.53.2 with sha256 input (mirrors install-kustomize). slack-notify inlines the same pin+verify install instead of downloading from releases/latest without integrity checks.
- slack_webhook_url: optional, falls back to SLACK_WEBHOOK_URL env var (caller sets it from secrets.CI_SLACK_WEBHOOK at job level) - color: defaults to 'good' (green) - blocks: optional; when omitted, sends header alone (skips yq install) Composite actions can't read org secrets directly, so the env-var fallback is the standard pattern for reducing per-step boilerplate.
The composite action now prefers SLACK_WEBHOOK_URL env (typically set from secrets.CI_SLACK_WEBHOOK at job level) over the slack_webhook_url input; the input is a fallback for ad-hoc testing. Adds .github/workflows/slack-notify.yml as a thin reusable-workflow wrapper that pulls the secret and forwards to the composite. Useful for callers that prefer 'secrets: inherit' and for triggering the action via workflow_dispatch from the GitHub UI.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three new composite actions intended to back the new infra deploy workflow in jitsucom/jitsu-cloud-infra#7 and any future deploy-style workflows.
.github/actions/slack-notify/— moved here fromjitsucom/jitsu/.github/actions/slack-notify/. The version injitsucom/jitsustays in place for now; its callers will be migrated in a separate cleanup..github/actions/install-yq/— installs theyqCLI to/usr/local/bin. Defaults to latest; accepts an optional pinned version..github/actions/install-kustomize/— installs the kustomize CLI with a pinned version + sha256 verification. Defaults to 5.8.1.README updated with usage examples.
Notion task: https://www.notion.so/35d737892e4781699578c92305d772b8
Test plan
jitsucom/github-workflows/.github/actions/slack-notify@mainfrom the infra deploy workflow PR (jitsu-cloud-infra#7) and confirm Slack messages land as before.install-yqandinstall-kustomize.Out of scope
jitsucom/jitsu's existing slack-notify callers to this shared copy.