From c0c2d2ad3c314e9f1ac8f6aa405db4f49762cb91 Mon Sep 17 00:00:00 2001 From: "Jens L." Date: Fri, 27 Jun 2025 14:18:29 +0200 Subject: [PATCH] website/docs: updated security release procedure (#15288) * ci: skip translate compile Signed-off-by: Jens Langhammer * ci: allow skipping build container for website Signed-off-by: Jens Langhammer * update docs Signed-off-by: Jens Langhammer * fix gha perms? Signed-off-by: Jens Langhammer --------- Signed-off-by: Jens Langhammer --- .../_reusable-docker-build-single.yaml | 2 ++ .github/workflows/ci-main.yml | 2 ++ .github/workflows/ci-website.yml | 1 + .../workflows/translation-extract-compile.yml | 1 + website/docs/developer-docs/releases/index.md | 17 ++++++++++++++++- 5 files changed, 22 insertions(+), 1 deletion(-) diff --git a/.github/workflows/_reusable-docker-build-single.yaml b/.github/workflows/_reusable-docker-build-single.yaml index a3b12c36c1..a254225f95 100644 --- a/.github/workflows/_reusable-docker-build-single.yaml +++ b/.github/workflows/_reusable-docker-build-single.yaml @@ -38,6 +38,8 @@ jobs: # Needed for attestation id-token: write attestations: write + # Needed for checkout + contents: read steps: - uses: actions/checkout@v4 - uses: docker/setup-qemu-action@v3.6.0 diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml index 6e06e1e8dc..8c462f4405 100644 --- a/.github/workflows/ci-main.yml +++ b/.github/workflows/ci-main.yml @@ -247,6 +247,8 @@ jobs: # Needed for attestation id-token: write attestations: write + # Needed for checkout + contents: read needs: ci-core-mark uses: ./.github/workflows/_reusable-docker-build.yaml secrets: inherit diff --git a/.github/workflows/ci-website.yml b/.github/workflows/ci-website.yml index 60da9aef5d..08657dfe4c 100644 --- a/.github/workflows/ci-website.yml +++ b/.github/workflows/ci-website.yml @@ -123,3 +123,4 @@ jobs: - uses: re-actors/alls-green@release/v1 with: jobs: ${{ toJSON(needs) }} + allowed-skips: ${{ github.repository == 'goauthentik/authentik-internal' && 'build-container' || '[]' }} diff --git a/.github/workflows/translation-extract-compile.yml b/.github/workflows/translation-extract-compile.yml index f6ba65bae9..91f7afff7a 100644 --- a/.github/workflows/translation-extract-compile.yml +++ b/.github/workflows/translation-extract-compile.yml @@ -16,6 +16,7 @@ env: jobs: compile: + if: ${{ github.repository != 'goauthentik/authentik-internal' }} runs-on: ubuntu-latest steps: - id: generate_token diff --git a/website/docs/developer-docs/releases/index.md b/website/docs/developer-docs/releases/index.md index f108ed94cd..689ff042c7 100644 --- a/website/docs/developer-docs/releases/index.md +++ b/website/docs/developer-docs/releases/index.md @@ -110,6 +110,10 @@ If you have any questions or comments about this advisory: Include the new file in the `/website/sidebars.js` + Push the branch to https://github.com/goauthentik/authentik-internal for CI to run and for reviews + + An image with the fix is built under `ghcr.io/goauthentik/internal-server` which can be made accessible to the reporter for testing + - Check with the original reporter that the fix works as intended - Wait for GitHub to assign a CVE - Announce the release of the vulnerability via Mailing list and discord @@ -136,7 +140,18 @@ We'll be publishing a security Issue (CVE-2022-xxxxx) and accompanying fix on _d ### Creating a security release -- On the date specified in the announcement, push the local `security/CVE-2022-xxxxx` branch into a PR, and squash merge it if the pipeline passes +- On the date specified in the announcement, retag the image from `authentik-internal` to the main image: + + ``` + docker buildx imagetools create -t ghcr.io/goauthentik/server:xxxx.x ghcr.io/goauthentik/internal-server:gh-cve-2022-xxx + docker buildx imagetools create -t ghcr.io/goauthentik/server:xxxx.x.x ghcr.io/goauthentik/internal-server:gh-cve-2022-xxx + ``` + + Where xxxx.x is the version family and xxxx.x.x is the full version. + + This will make the fixed container image available instantly, while the full release is running on the main repository. + +- Push the local `security/CVE-2022-xxxxx` branch into a PR, and squash merge it if the pipeline passes - If the fix made any changes to the API schema, merge the PR to update the web API client - Cherry-pick the merge commit onto the version branch - If the fix made any changes to the API schema, manually install the latest version of the API client in `/web`