Skip to content

[CLIENT-3467] CI/CD: Publish artifacts to JFrog using release bundles#826

Draft
juliannguyen4 wants to merge 76 commits intodevfrom
CLIENT-3467-cicd-use-jfrog-release-bundles
Draft

[CLIENT-3467] CI/CD: Publish artifacts to JFrog using release bundles#826
juliannguyen4 wants to merge 76 commits intodevfrom
CLIENT-3467-cicd-use-jfrog-release-bundles

Conversation

@juliannguyen4
Copy link
Collaborator

@juliannguyen4 juliannguyen4 commented Aug 28, 2025
edited
Loading

TODO

  • DEV stage
  • How to download artifacts at specific commits in dev
  • TEST stage
  • Artifacts should not be overwritten in JFrog...
  • Cleanup: delete all tags created by testing these changes
  • [ ]

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 28, 2025
View reviewed changes
@codecov-commenter
Copy link

codecov-commenter commented Aug 29, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.53%. Comparing base (30a8114) to head (8f06652).
⚠️ Report is 7 commits behind head on dev.

Additional details and impacted files 
@@           Coverage Diff           @@
##              dev     #826   +/-   ##
=======================================
  Coverage   83.53%   83.53%           
=======================================
  Files          99       99           
  Lines       14392    14392           
=======================================
  Hits        12022    12022           
  Misses       2370     2370

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 29, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 29, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 29, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 9, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 10, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 12, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 6, 2026
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 6, 2026
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 25, 2026
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 26, 2026
View reviewed changes
.github/workflows/promote-release-bundle.yml
Comment on lines +22 to +34
runs-on: ubuntu-24.04
env:
JF_PROJECT: ${{ inputs.jfrog-project }}
steps:
- name: Setup JFrog CLI
uses: jfrog/setup-jfrog-cli@5b06f730cc5a6f55d78b30753f8583454b08c0aa # v4.8.1
env:
JF_URL: https://artifact.aerospike.io
with:
oidc-provider-name: ${{ vars.OIDC_PROVIDER_NAME }}
oidc-audience: ${{ vars.OIDC_AUDIENCE }}

- run: jf rbp --signing-key=aerospike --include-repos ${{ inputs.jfrog-repo-name }} ${{ inputs.release-bundle-name }} ${{ inputs.release-bundle-version }} ${{ inputs.new-environment }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 14 hours ago

To fix the problem, explicitly declare a permissions: block that grants only the minimal required GITHUB_TOKEN permissions. Since this workflow promotes a JFrog release bundle via OIDC and does not interact with GitHub issues, PRs, or repository contents, the safest assumption is that it needs only read access to repository contents (if anything). A common minimal baseline is contents: read, which is equivalent to the read-only default for repository contents and avoids unnecessary write scopes.

The single best fix with no functional change is to add a permissions block at the job level for promote-release-bundle-to-dev. This makes the job self-contained and documents its needs without affecting other jobs that might be added later. Insert:

permissions:
  contents: read

under runs-on: ubuntu-24.04 (same indentation as runs-on). No imports or additional methods are needed; this is purely a YAML configuration change in .github/workflows/promote-release-bundle.yml.

Suggested changeset 1
.github/workflows/promote-release-bundle.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/promote-release-bundle.yml b/.github/workflows/promote-release-bundle.yml
--- a/.github/workflows/promote-release-bundle.yml
+++ b/.github/workflows/promote-release-bundle.yml
@@ -20,6 +20,8 @@
 jobs:
   promote-release-bundle-to-dev:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     env:
       JF_PROJECT: ${{ inputs.jfrog-project }}
     steps:
EOF
@@ -20,6 +20,8 @@
jobs:
promote-release-bundle-to-dev:
runs-on: ubuntu-24.04
permissions:
contents: read
env:
JF_PROJECT: ${{ inputs.jfrog-project }}
steps:
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@juliannguyen4 @codecov-commenter