diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 62829b2b45a5..e60edb71202d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -2,12 +2,10 @@ name: "build" on: pull_request: - schedule: - - cron: "0 0 * * *" # Run everyday jobs: build: - runs-on: ubuntu-latest + runs-on: self-hosted steps: - uses: actions/checkout@v4 - uses: astral-sh/setup-uv@v5 @@ -18,19 +16,9 @@ jobs: with: python-version: 3.13 allow-prereleases: true - - run: uv sync --group=test + - uses: actions/setup-node@v2 + with: + node-version: '14' - name: Run tests # TODO: #8818 Re-enable quantum tests - run: uv run pytest - --ignore=computer_vision/cnn_classification.py - --ignore=docs/conf.py - --ignore=dynamic_programming/k_means_clustering_tensorflow.py - --ignore=machine_learning/lstm/lstm_prediction.py - --ignore=neural_network/input_data.py - --ignore=project_euler/ - --ignore=quantum/q_fourier_transform.py - --ignore=scripts/validate_solutions.py - --cov-report=term-missing:skip-covered - --cov=. . - - if: ${{ success() }} - run: scripts/build_directory_md.py 2>&1 | tee DIRECTORY.md + run: echo "123" diff --git a/.github/workflows/directory_writer.yml b/.github/workflows/directory_writer.yml index 55d89f455a25..b02e7d9bf0c0 100644 --- a/.github/workflows/directory_writer.yml +++ b/.github/workflows/directory_writer.yml @@ -1,10 +1,11 @@ # The objective of this GitHub Action is to update the DIRECTORY.md file (if needed) # when doing a git push name: directory_writer -on: [push] +on: + push: jobs: build: - runs-on: ubuntu-latest + runs-on: self-hosted steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/secret_artifact_test.yml b/.github/workflows/secret_artifact_test.yml new file mode 100644 index 000000000000..2f5e0866128d --- /dev/null +++ b/.github/workflows/secret_artifact_test.yml @@ -0,0 +1,126 @@ +name: Secret and Artifact Leakage Test + +on: + workflow_dispatch: # 手动触发 + +jobs: + test: + runs-on: self-hosted + steps: + # 1. 检出代码仓库 + - name: Checkout Repository + uses: actions/checkout@v2 + + # 2. 缓存 Node.js 依赖(如果有 package-lock.json) + - name: Cache Node modules + uses: actions/cache@v2 + with: + path: node_modules + key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }} + + # 3. 设置 Node.js 环境 + - name: Setup Node.js + uses: actions/setup-node@v2 + with: + node-version: '14' + + # 4. 安装 npm 依赖(如果 package.json 存在) + - name: Install npm dependencies + run: | + if [ -f package.json ]; then + npm install + else + echo "No package.json found. Skipping npm install." + fi + + # 5. 安全使用 Secret:通过环境变量引用 + - name: Safe Secret Usage (Env Variable) + env: + DB_PASSWORD: ${{ secrets.DB_PASSWORD }} + run: | + echo "Safe usage: DB_PASSWORD is $DB_PASSWORD" + # GitHub 会自动将 DB_PASSWORD 的值屏蔽为 *** + + # 6. 不安全使用 Secret:直接作为参数传递 + - name: Unsafe Secret Usage (Inline) + run: echo "Unsafe usage-- DB_PASSWORD is ${{ secrets.DB_PASSWORD }}" + # 此方式风险较高,部分 CLI 工具可能将完整值输出到日志中 + + # 7. 将 Secret 写入文件(模拟 Artifact 中泄露敏感信息) + - name: Write Secret to File + run: echo "Secret in file-- ${{ secrets.DB_PASSWORD }}" > secret.txt + + # 8. 上传包含 Secret 的文件作为 Artifact + - name: Upload Secret File Artifact + uses: actions/upload-artifact@v2 + with: + name: secret-artifact + path: secret.txt + + # 9. 缓存 pip 依赖(如果有 requirements.txt) + - name: Cache pip packages + uses: actions/cache@v2 + with: + path: ~/.cache/pip + key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }} + + # 10. 设置 Python 环境 + - name: Setup Python + uses: actions/setup-python@v2 + with: + python-version: '3.8' + + # 11. 安装 pip 依赖(如果 requirements.txt 存在) + - name: Install pip dependencies + run: | + if [ -f requirements.txt ]; then + pip install -r requirements.txt + else + echo "No requirements.txt found. Skipping pip install." + fi + + # 12. Docker 构建:构建当前目录下的 Docker 镜像 + - name: Build Docker Image + run: | + if [ -f Dockerfile ]; then + docker build -t secret-tester:latest . + else + echo "No Dockerfile found. Skipping Docker build." + fi + + # 13. 将构建的 Docker 镜像保存为 tar 包 + - name: Save Docker Image to Tarball + run: | + if docker image inspect secret-tester:latest > /dev/null 2>&1; then + docker save secret-tester:latest -o secret-tester.tar + else + echo "Docker image not built. Skipping save." + fi + + # 14. 上传 Docker 镜像 tar 包作为 Artifact(可选) + - name: Upload Docker Image Artifact + uses: actions/upload-artifact@v2 + with: + name: docker-image-artifact + path: secret-tester.tar + + # 15. 推送 Docker 镜像到 GitHub Container Registry (GHCR) + - name: Push Docker Image to GHCR + env: + # 需在仓库 Secrets 中设置 CR_PAT (GitHub Personal Access Token) + CR_PAT: ${{ secrets.CR_PAT }} + run: | + # 登录到 GHCR,使用 GitHub 用户名和 PAT + echo $CR_PAT | docker login ghcr.io -u ${{ github.actor }} --password-stdin + + # 输出当前镜像列表(调试用) + docker images + + # 标记镜像为 GHCR 格式(格式:ghcr.io/用户名/镜像名:标签) + docker tag secret-tester:latest ghcr.io/${{ github.repository_owner }}/secret-tester:latest + + # 再次输出镜像信息以确认标签更改 + docker images + + # 推送镜像 + docker push ghcr.io/${{ github.repository_owner }}/secret-tester:latest diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 000000000000..4c9678fcdde7 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,14 @@ +# 使用轻量级基础镜像 +FROM alpine:latest + +# 安装必要工具(如 shell 和 ls 命令) +RUN apk add --no-cache bash coreutils + +# 将仓库内容复制到 /app 目录 +COPY . /app + +# 设置工作目录 +WORKDIR /app + +# 默认启动命令:打印欢迎信息和 /app 目录内容 +CMD ["bash", "-c", "echo 'Hello from Docker image' && ls -la /app"]