NV-4418 Fix and harden the GitLab and GitHub demo scripts#3
Merged
Conversation
blackoutjack
force-pushed
the
NV-4418-gitlab-poc-unblockers
branch
4 times, most recently
from
80cd829 to
0b1d99d
Compare
blackoutjack
changed the title
blackoutjack
force-pushed
the
NV-4418-gitlab-poc-unblockers
branch
5 times, most recently
from
91d69b9 to
d108339
Compare
Make gitlab-demo.sh run clean on first try and safe to re-run.
- Fix the showstopper token line: it read a nonexistent 'token' file and
aborted under set -e before anything was created. Pass the captured
$TOKEN as the value argument and drop the '< token' redirect, and guard
against an empty/whitespace token before setting the masked CI variable.
- Create the repo in the correct namespace ("$GROUP/$REPO").
- Quote all expansions; add set -u -o pipefail.
- Idempotency: skip the clone if present; guard repo/app/target creation
and the masked CI variable so a second run reuses existing resources
with a logged warning instead of erroring out; reconcile the gitlab
remote to the current "$GROUP/$REPO" so a re-run with different
arguments does not push to the previous run's project.
- Pass '--type API' to target create, matching the casing the NightVision
docs use.
- Hygiene: print a notice and document a revert command for the
/etc/hosts edit; label the echoed credentials as the javaspringvulny
demo defaults; use literal placeholders in the cleanup notes, since
script-internal variables do not expand in a fresh shell.
Phase 1 GitLab consolidation is tracked in NV-4412.
Port the gitlab-demo.sh fixes to github-actions-demo.sh for consistency,
and fix its own showstopper: the clone URL was built from 'git config
user.name', a display name that is not a valid GitHub owner for most
users. Derive the owner from the authenticated gh session instead.
- Authenticate to GitHub and NightVision before any other step.
- Capture the token in a variable instead of writing it to a 'token'
file on disk; strip whitespace and abort on an empty result.
- Pin 'gh secret set' to the fork with an explicit --repo instead of
inferring the repository from the checkout's git remote.
- Quote all expansions; add set -u -o pipefail.
- Idempotency: reuse an existing clone only after confirming its origin
points at the expected fork; guard app/target creation so a re-run
reuses existing resources ('gh secret set' already upserts).
- Hygiene: label the echoed credentials as the javaspringvulny demo
defaults; add cleanup notes with literal placeholders.
Add a static lint gate for the repo's shell scripts so the hardening on the demo scripts is enforced going forward instead of relying on manual checks. - tests/run.sh is the single entrypoint: it runs bash -n and shellcheck over every git-tracked *.sh file. Both local dev and CI call this exact script, so the two can never check different things or drift apart. - The script enumerates targets via git ls-files so untracked / vendored files are never linted, and treats a missing shellcheck as a hard error rather than silently downgrading to a weaker check than CI. - .github/workflows/lint.yml runs tests/run.sh on pushes to main and on all pull requests, with a read-only permissions default and a SHA-pinned actions/checkout. - .github/dependabot.yml keeps that SHA pin refreshed as reviewable PRs, with a 7-day cooldown so freshly published versions are not pinned immediately. This matches the GitHub Actions security posture used in the demo target repo.
The repo had no .gitignore, leaving Python bytecode and local-only trees exposed to accidental commits. - Ignore __pycache__ / *.pyc from the sarif/ converters. - Ignore the java-github-actions-demo checkout the demo scripts clone into, along with the scan artifacts written inside it. - Ignore the local .agent-sandbox-config tree and the analysis/ work-product directory, neither of which is part of the published reference material.
blackoutjack
force-pushed
the
NV-4418-gitlab-poc-unblockers
branch
from
d108339 to
7e7d040
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Makes both demo scripts run clean on the first try and safe to re-run, then adds a shell lint gate so that hardening cannot silently regress. Each script had a first-run showstopper:
demo-scripts/gitlab-demo.shread its token from a nonexistenttokenfile and aborted underset -e, anddemo-scripts/github-actions-demo.shbuilt its clone URL from the git display name rather than the GitHub login.Implementation
$TOKENas theglab variable setvalue instead of< tokenfrom a missing file.glab repo createtargets$GROUP/$REPOinstead of the bare repo name.glab variable set || glab variable updaterotates maskedNIGHTVISION_TOKENper run, aborting if both fail.nightvision token createoutput and abort if the result is empty.gitlabremote to the current$GROUP/$REPOinstead of pushing to a previous run's project.set -etoset -euo pipefail./etc/hostsedit; credentials labeled as demo defaults.github-actions-demo.sh: same strict mode, quoting, auth-first ordering, empty-token guard, and idempotent creates.ghlogin;git config user.nameis a display name, not a repo owner.gh secret setfrom a variable instead of a temporarytokenfile.$OWNER/java-github-actions-demo, and the Actions secret is pinned to that repo explicitly rather than inferred from the remote.tests/run.shrunsbash -nandshellcheckover every tracked*.sh; local and CI invoke the same entrypoint so they cannot drift, and it stays bash 3.2 compatible for macOS.lint.ymlruns with acontents: readdefault and a SHA-pinnedactions/checkout;dependabot.ymlrefreshes that pin on a 7-day cooldown..gitignore: ignore__pycache__, the demo clone and its scan artifacts, and the local.agent-sandbox-configandanalysistrees.Out-of-scope
Phase 1 GitLab demo consolidation is tracked in NV-4412.