Skip to content

Revert "ci: run on self-hosted runners (#1174)" #1184

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nitisht merged 3 commits into from
Feb 12, 2025
Merged

Revert "ci: run on self-hosted runners (#1174)" #1184

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6be030c
Revert "ci: run on self-hosted runners (#1174)"
Feb 12, 2025
0dc644b
always pull latest container
Feb 12, 2025
a9dd340
use newer minio image
Feb 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/integration-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:

docker-compose-test:
name: Quest Smoke and Load Tests for Standalone deployments
runs-on: self-hosted
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
Expand All @@ -23,7 +23,7 @@ jobs:

docker-compose-distributed-test:
name: Quest Smoke and Load Tests for Distributed deployments
runs-on: self-hosted
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
Expand Down
1 change: 0 additions & 1 deletion docker-compose-distributed-test-with-kafka.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,6 @@ services:
quest:
platform: linux/amd64
image: ghcr.io/parseablehq/quest:main
pull_policy: always
command:
[
"load",
Expand Down
1 change: 0 additions & 1 deletion docker-compose-distributed-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,6 @@ services:
quest:
platform: linux/amd64
image: ghcr.io/parseablehq/quest:main
pull_policy: always
command:
[
"load",
Expand Down
3 changes: 1 addition & 2 deletions docker-compose-test-with-kafka.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ networks:

services:
minio:
image: minio/minio:RELEASE.2025-02-03T21-03-04Z
image: minio/minio:RELEASE.2023-02-10T18-48-39Z
entrypoint:
- sh
- -euc
Expand Down Expand Up @@ -67,7 +67,6 @@ services:
quest:
image: ghcr.io/parseablehq/quest:main
platform: linux/amd64
pull_policy: always
command: [
"load",
"http://parseable:8000",
Expand Down
3 changes: 1 addition & 2 deletions docker-compose-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ networks:

services:
minio:
image: minio/minio:RELEASE.2025-02-03T21-03-04Z
image: minio/minio:RELEASE.2023-02-10T18-48-39Z
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Verify MinIO version compatibility.

Rolling back to an older MinIO version (2023-02-10) could impact functionality. Please ensure this version:

  1. Meets the project's requirements
  2. Has no known security vulnerabilities

🌐 Web query:

Are there any known security vulnerabilities in MinIO RELEASE.2023-02-10T18-48-39Z?

💡 Result:

MinIO RELEASE.2023-02-10T18-48-39Z contains multiple critical security vulnerabilities that have been actively exploited in attacks:

Known Vulnerabilities

  1. CVE-2023-28432 (CVSS 7.5)
    Security feature bypass allowing attackers to:

    • Retrieve sensitive environment variables including MINIO_ROOT_PASSWORD[2][5][8]
    • Access admin credentials through API endpoints[5][8]

  2. CVE-2023-28434 (CVSS 8.8)
    Remote Code Execution vulnerability enabling:

    • Unauthorized command execution via crafted HTTP requests[2][5]
    • Replacement of MinIO binaries with malicious versions[2][5][8]

These vulnerabilities were fixed in RELEASE.2023-03-20T20-16-18Z and added to CISA's Known Exploited Vulnerabilities Catalog[4][7]. Attack chains using these CVEs have been observed:

http://vulnerable.minIO.server/?alive=[malicious_command]
http://vulnerable.minIO.server/anything?alive=[RCE_payload]

Allows full server compromise when chained together[2][5][8].

Recommended Action

Immediate upgrade to at least RELEASE.2023-03-20T20-16-18Z is required. Later versions like RELEASE.2024-01-31T20-20-33Z contain additional security fixes including privilege escalation patches[3][6].

For legacy deployments, implement network restrictions:

# Block public access to MinIO API ports (9000/9001 by default)
iptables -A INPUT -p tcp --dport 9000:9001 -j DROP

This version has been vulnerable for over 12 months with public exploits available since April 2023[2][5]. Unpatched systems risk complete data exposure and server takeover through documented attack vectors[8].

Citations:

Security Issue: Outdated MinIO Version in docker-compose-test.yaml

  • The specified MinIO image (minio/minio:RELEASE.2023-02-10T18-48-39Z) is known to have multiple critical security vulnerabilities (e.g., CVE-2023-28432 and CVE-2023-28434).
  • These vulnerabilities enable sensitive information exposure and remote code execution.
  • The issues were resolved starting with RELEASE.2023-03-20T20-16-18Z; hence, an upgrade is strongly recommended.

entrypoint:
- sh
- -euc
Expand Down Expand Up @@ -60,7 +60,6 @@ services:

quest:
image: ghcr.io/parseablehq/quest:main
pull_policy: always
platform: linux/amd64
command: [
"load",
Expand Down
Loading