* Remove CodeQL Scanning for release branches
In RFD 114 (PR #32233) we setup mirroring for the Teleport release branches to the `teleport-sec-scan` repos. There are several advantages to moving the CodeQL scanning to these repos:
* It removes the manual process described in `preflight` to update the codeql scanning branch
* It solves the issue of alerts being repeatedly opened and closed as they are found on release branches and only fixed in master, for example: https://github.com/gravitational/teleport/security/code-scanning/560
As such CodeQL has already been configured on these repos and the initial findings triaged: https://github.com/gravitational/teleport-sec-scan-1/blob/master/.github/workflows/codeql-mirror.yml
* codeql: Comment relaese branch scanning
tibdex is some random developer. We prefer 2nd party actions from
GitHub, as we have a contractual relationship with them.
As part of this change, I'm also comfortable dropping the SHA pinning --
since the `actions` org can be held to a higher level of trust for
both security and backwards compatibility concerns.
This commit updates all the Docker images from ghcr.io/gravitational/teleport-buildbox:teleport14 to ghcr.io/gravitational/teleport-buildbox:teleport15 in multiple workflow files.
The Vercel preview workflow currently inserts the head branch of a pull
request into the edge version of the Teleport docs. This makes it
difficult to post a link to the correct version, since we need to
include the version number in the path.
This change edits the Vercel preview workflow to include only one
version of the docs--the user's version--in the preview site. This makes
it easier to find the user's changes.
Remove bypass workflows for integration tests (root) and kube
integration tests (non-root) in favor of the paths-filter approach,
since path filtering is not supported with the merge queue.
* Revise Docker handling in OS compatibility script
This commit revises how Docker containers are interacted with in build-test-compat.sh. Optimized Docker image pulling process by pulling images in parallel to speed up the testing process. Makefile targets in Github workflow are also parallelized to speed up the build process.
* Simplify and parallel docker logic
* An attempt to fix our failing builds
* Add merge_group condition to checkout step in workflows
This update adds a condition to the checkout step in various GitHub workflows to ensure it only runs when the event_name is "merge_group".
* Fix syntax
* Use v4 tag for checkout action instead of pinned commit
Co-authored-by: Reed Loden <reed@goteleport.com>
---------
Co-authored-by: Reed Loden <reed@goteleport.com>
Currently, the Vercel preview workflow uses the default `vercel deploy`
behavior, which uploads every source file to Vercel. The result is often
rate limiting by the Vercel API, which prevents some preview workflows
from running.
This change adds the `--archive=tgz` flag to the `vercel deploy` command
to upload a single tarball instead, as recommended by Vercel support.
The flag is undocumented, but you can consult the PR that added it to
the `vercel` CLI (vercel/vercel#8356) for context.
This PR updates the name of the step that checks that there's no changes to `go.mod` and `go.sum` after a `go mod tidy` to make it more obvious what the issue is.
This suppresses some noisy warnings, and provides useful debug
information (such as the assumedRoleId) baked into the command.
AWS Account IDs are no longer masked by default.
* Remove bypass workflow for integration tests
It turns out, the 'paths' filter is not supported with the merge
queue. As a result, we're running a lot more actions in the merge
queue than we thought we were. For example, integration tests are
running even if the PR(s) in the queue only contain docs changes.
Instead of relying on GitHub to do the filtering (which isn't supported)
and using the "multiple workflows with the same name" hack, we use a
third party action to detect what files were changed and determine
whether subsequent jobs should run.
* Remove doc-tests bypass
This will allow us to test both cases
* Address review comments
This is currently failing due to `yarn` not being on the build image. I am disabling the UI part of the build until we can develop a long term solution.
* return an error when attempting to join a session of an OpenSSH node
* remove item from test plan and note to docs
* add test coverage to integration test
* fix integration test
* fixed linter issue
* Test vercel-deploy workflow
* Specify the Vercel environment
Co-authored-by: Ada <70969399+adaadb6@users.noreply.github.com>
* Tweak the Vercel workflow
- Include a more user-friendly URL in the preview message that points to
the version of the docs site that shows the user's changes.
- Add write permissions for PRs to the Vercel worfklow.
* Respond to zmb3 feedback
---------
Co-authored-by: dumez-k <kenneth.dumez@goteleport.com>
Co-authored-by: Kenneth DuMez <41009873+dumez-k@users.noreply.github.com>
Co-authored-by: Ada <70969399+adaadb6@users.noreply.github.com>
* Add new `make test-env` to CI
This is a new test which exports an environment variable, and then validates that none of the build binaries contain the unexpected variable.
This is designed to help make sure that secrets don't unexpectedly leak from any of our build environments.
* Remove environment leak workflow and instead combine with the `bloat` workflow
* bloat: Fix for environment test being on the current commit instead of last commit
* Apply suggestions from code review
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
* Update .github/workflows/bloat.yaml
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
* test-env target updates
* env-test: replace spaces with tabs for bash commands
* bloat workflow: Fail job on first failure
---------
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
This change edits the documentation test plan to clarify some points of
friction:
- Includes a sample command for adding a new submodule to the docs site
so the person updating the docs site config doesn't need to figure
this out.
- Notes the source of features in the upcoming major version so we can
test the docs for those features.
Teleport can connect to Nodes using their OpenSSH daemons.
To do so, OpenSSH must be configured to trust Teleport's CA.
Previously (<=v13), all ssh servers could be dialed into from Teleport.
The connection would be accepted if the ssh server trusted the Teleport
CA.
V14+ doesn't allow this and all nodes must be registered in Teleport.
If they are not, then Teleport won't connect to them.
* Point passwordless to the tsh download
* Point device trust to the enterprise download
* Verify Windows device enrollments
* Verify `tsh device` support commands
* Trim whitespace
* Separate support commands per platform
