[r339] distributor(ha-tracker): WatchPrefix - handle error on type assertion gracefully #11477

NickAnge · 2025-05-19T09:47:31Z

distributor(ha-tracker): WatchPrefix - handle error on type assertion gracefully (#11411)

Always return true to ensure WatchPrefix() is never interrupted, otherwise the HA tracker stops to receive updates.

(cherry picked from commit b70c1da)

What this PR does

Which issue(s) this PR fixes or relates to

Fixes #

Checklist

Tests updated.
Documentation added.
CHANGELOG.md updated - the order of entries should be [CHANGE], [FEATURE], [ENHANCEMENT], [BUGFIX].
about-versioning.md updated with experimental features.

… gracefully (#11411) Always return true to ensure WatchPrefix() is never interrupted, otherwise the HA tracker stops to receive updates. (cherry picked from commit b70c1da)

github-actions · 2025-05-19T11:48:09Z

😢 zizmor failed with exit code 14.

Expand for full output

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:48:7
   |
48 |     - uses: helm/kind-action@v1.12.0
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:50:7
   |
50 |       uses: dsaltares/fetch-gh-release-asset@1.1.2
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:58:7
   |
58 |       uses: dsaltares/fetch-gh-release-asset@1.1.2
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:66:7
   |
66 |       uses: dsaltares/fetch-gh-release-asset@1.1.2
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/generate-docs-helm-tests-renovate-pr.yml:13:3
   |
13 |   id-token: write
   |   ^^^^^^^^^^^^^^^ id-token: write is overly broad at the workflow level
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/generate-docs-helm-tests-renovate-pr.yml:66:9
   |
66 |         - name: Run Git Config
   |           ^^^^^^^^^^^^^^^^^^^^ this step
67 | /         run: |
68 | |           git config --global --add safe.directory '*'
69 | |           git config --global user.email "${{ github.event.pull_request.user.login }}@users.noreply.github.com"
70 | |           git config --global user.name "${{ github.event.pull_request.user.login }}"
   | |_____________________________________________________________________________________^ github.event.pull_request.user.login may expand into attacker-controllable code
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/generate-docs-helm-tests-renovate-pr.yml:66:9
   |
66 |         - name: Run Git Config
   |           ^^^^^^^^^^^^^^^^^^^^ this step
67 | /         run: |
68 | |           git config --global --add safe.directory '*'
69 | |           git config --global user.email "${{ github.event.pull_request.user.login }}@users.noreply.github.com"
70 | |           git config --global user.name "${{ github.event.pull_request.user.login }}"
   | |_____________________________________________________________________________________^ github.event.pull_request.user.login may expand into attacker-controllable code
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/generate-docs-helm-tests-renovate-pr.yml:73:9
   |
73 |         uses: ksivamuthu/actions-setup-gh-cli@v2
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/helm-weekly-release-pr.yaml:19:9
   |
19 |       - uses: imjasonh/setup-crane@v0.4
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/helm-weekly-release-pr.yaml:43:9
   |
43 |         uses: peter-evans/create-pull-request@v5
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
   --> ./.github/workflows/push-mimir-build-image.yml:111:9
    |
111 |         - name: Add commit to PR in order to update Build Image version
    |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
112 |           if: steps.compare_tag.outputs.isDifferent == 'true'
113 | /         run: |
114 | |           echo "Get current Build Image Version"
...   |
126 | |             git push origin HEAD
127 | |           fi
    | |____________^ github.event.pull_request.user.login may expand into attacker-controllable code
    |
    = note: audit confidence → High

error[template-injection]: code injection via template expansion
   --> ./.github/workflows/push-mimir-build-image.yml:111:9
    |
111 |         - name: Add commit to PR in order to update Build Image version
    |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
112 |           if: steps.compare_tag.outputs.isDifferent == 'true'
113 | /         run: |
114 | |           echo "Get current Build Image Version"
...   |
126 | |             git push origin HEAD
127 | |           fi
    | |____________^ github.event.pull_request.user.login may expand into attacker-controllable code
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/push-mimir-build-image.yml:35:9
   |
35 |         uses: docker/setup-qemu-action@v3
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/push-mimir-build-image.yml:38:9
   |
38 |         uses: docker/setup-buildx-action@v3
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/push-mimir-build-image.yml:41:9
   |
41 |         uses: docker/login-action@v3
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/sbom-report.yml:17:7
   |
17 |       uses: anchore/sbom-action@v0.18.0
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/test-build-deploy.yml:156:9
    |
156 |         uses: azure/setup-helm@v4
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/test-build-deploy.yml:216:9
    |
216 |         uses: docker/setup-qemu-action@v3
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/test-build-deploy.yml:219:9
    |
219 |         uses: docker/setup-buildx-action@v3
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/test-build-deploy.yml:2:1
   |
 2 | / on:
 3 | |   push:
...  |
 9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
10 | |   pull_request:
   | |_______________^ generally used when publishing artifacts generated at runtime
11 |
...
69 |         - name: Cache golangci-lint cache
70 |           uses: actions/cache@v4
   |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/test-build-deploy.yml:2:1
   |
 2 | / on:
 3 | |   push:
...  |
 9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
10 | |   pull_request:
   | |_______________^ generally used when publishing artifacts generated at runtime
11 |
...
79 |         - name: Cache Go build cache
80 |           uses: actions/cache@v4
   |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/test-build-deploy.yml:2:1
   |
 2 | / on:
 3 | |   push:
...  |
 9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
10 | |   pull_request:
   | |_______________^ generally used when publishing artifacts generated at runtime
11 |
...
86 |         - name: Cache Go module cache
87 |           uses: actions/cache@v4
   |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/test-build-deploy.yml:2:1
    |
  2 | / on:
  3 | |   push:
...   |
  9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
 10 | |   pull_request:
    | |_______________^ generally used when publishing artifacts generated at runtime
 11 |
...
188 |         - name: Cache Go build cache
189 |           uses: actions/cache@v4
    |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/test-build-deploy.yml:2:1
    |
  2 | / on:
  3 | |   push:
...   |
  9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
 10 | |   pull_request:
    | |_______________^ generally used when publishing artifacts generated at runtime
 11 |
...
228 |         - name: Cache Go build cache
229 |           uses: actions/cache@v4
    |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/test-build-deploy.yml:2:1
    |
  2 | / on:
  3 | |   push:
...   |
  9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
 10 | |   pull_request:
    | |_______________^ generally used when publishing artifacts generated at runtime
 11 |
...
286 |         - name: Cache Go build cache
287 |           uses: actions/cache@v4
    |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
    |
    = note: audit confidence → Low

111 findings (71 ignored, 15 suppressed): 0 unknown, 0 informational, 0 low, 0 medium, 25 high

NickAnge marked this pull request as ready for review May 19, 2025 09:47

NickAnge requested a review from a team as a code owner May 19, 2025 09:47

This comment has been minimized.

Sign in to view

NickAnge changed the title ~~distributor(ha-tracker): WatchPrefix - handle error on type assertion…~~ Backport 11411 to r339 May 19, 2025

NickAnge changed the title ~~Backport 11411 to r339~~ distributor(ha-tracker): WatchPrefix - handle error on type assertion gracefully May 19, 2025

pracucci approved these changes May 19, 2025

View reviewed changes

distributor(ha-tracker): WatchPrefix - handle error on type assertion…

795252f

… gracefully (#11411) Always return true to ensure WatchPrefix() is never interrupted, otherwise the HA tracker stops to receive updates. (cherry picked from commit b70c1da)

NickAnge force-pushed the backport-11411-to-r339 branch from f8e5464 to 795252f Compare May 19, 2025 11:27

This comment has been minimized.

Sign in to view

NickAnge changed the title ~~distributor(ha-tracker): WatchPrefix - handle error on type assertion gracefully~~ [r339] distributor(ha-tracker): WatchPrefix - handle error on type assertion gracefully May 19, 2025

NickAnge closed this May 19, 2025

NickAnge reopened this May 19, 2025

NickAnge enabled auto-merge (squash) May 19, 2025 12:02

NickAnge merged commit d363ce5 into r339 May 19, 2025
59 checks passed

7329

NickAnge deleted the backport-11411-to-r339 branch May 19, 2025 12:16

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[r339] distributor(ha-tracker): WatchPrefix - handle error on type assertion gracefully #11477

[r339] distributor(ha-tracker): WatchPrefix - handle error on type assertion gracefully #11477

Uh oh!

Uh oh!

This comment has been minimized.

This comment has been minimized.

Uh oh!

Uh oh!

Uh oh!

[r339] distributor(ha-tracker): WatchPrefix - handle error on type assertion gracefully #11477

[r339] distributor(ha-tracker): WatchPrefix - handle error on type assertion gracefully #11477

Uh oh!

Conversation

Uh oh!

What this PR does

Which issue(s) this PR fixes or relates to

Checklist

Uh oh!

This comment has been minimized.

This comment has been minimized.

Uh oh!

Uh oh!

Uh oh!