workflows get rid of mysqld --initialize-insecure

Also used [SecureString] to store a temporary password.
silverqx · Jun 10, 2024 · 3b38a84 · 3b38a84
1 parent 9288d0f
commit 3b38a84
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 12 deletions.
diff --git a/.github/workflows/clang-cl-qt6.yml b/.github/workflows/clang-cl-qt6.yml
@@ -270,9 +270,18 @@ jobs:
       env:
         DB_MYSQL_HOST: ${{ secrets.DB_MYSQL_HOST_SSL }}
 
+    # The ConvertFrom-SecureString must be called on the [SecureString] instance to be able to
+    # store it in the environment or output variable
     - name: MySQL initialize data directory
-      run: |
-        mysqld.exe --initialize-insecure --console
+      id: initializes-initialize-mysql-data-folder
+      run: >-
+        $regEx = '(?:\[MY-010454\].*temporary.*: )(?<password>.+)'
+
+        $securedPassword = (mysqld.exe --initialize --console 2>&1 |
+        Select-String -Pattern $regEx).Matches[0].Groups['password'].Value |
+        ConvertTo-SecureString -AsPlainText | ConvertFrom-SecureString
+
+        "SecuredPassword=$securedPassword" >> $env:GITHUB_OUTPUT
 
     # We can't generate certificates first and then initialize MySQL data folder, MySQL throws
     # error, it also generates all keys and certificates so we have remove them to generate are own
@@ -393,18 +402,24 @@ jobs:
 
     # Securing the root account even on localhost is for testing to make sure that everything
     # works as expected
+    # The secured_password is store in the string form so we have to re-create the [SecureString]
+    # from this encrypted string and then it can be decrypted as normally would 😬
     - name: MySQL change ${{ secrets.DB_MYSQL_ROOT_USERNAME }} password
       run: >-
         "alter user '$env:DB_MYSQL_ROOT_USERNAME'@'localhost'
         identified with caching_sha2_password by '$env:DB_MYSQL_ROOT_PASSWORD'
         require issuer '${{ env.DB_MYSQL_SSL_SUBJECT_CA }}' and
         subject '${{ env.DB_MYSQL_SSL_SUBJECT_CLIENT }}';" |
-        mysql.exe --user=$env:DB_MYSQL_ROOT_USERNAME --skip-password
+        mysql.exe --user=$env:DB_MYSQL_ROOT_USERNAME
+        --password=$($env:secured_password | ConvertTo-SecureString |
+        ConvertFrom-SecureString -AsPlainText)
+        --connect-expired-password
       env:
         DB_MYSQL_ROOT_PASSWORD: ${{ secrets.DB_MYSQL_ROOT_PASSWORD }}
         DB_MYSQL_ROOT_USERNAME: ${{ secrets.DB_MYSQL_ROOT_USERNAME }}
         DB_MYSQL_SSL_SUBJECT_CA: ${{ secrets.DB_MYSQL_SSL_SUBJECT_CA }}
         DB_MYSQL_SSL_SUBJECT_CLIENT: ${{ secrets.DB_MYSQL_SSL_SUBJECT_CLIENT }}
+        secured_password: ${{ steps.initializes-initialize-mysql-data-folder.outputs.SecuredPassword }}
 
     - name: MySQL time zone POSIX tables initialize download
       id: downloads-initialize-mysql-timezone-tables

diff --git a/.github/workflows/msvc2019-qt5.yml b/.github/workflows/msvc2019-qt5.yml
@@ -94,23 +94,38 @@ jobs:
       env:
         DB_MYSQL_HOST: ${{ secrets.DB_MYSQL_HOST }}
 
+    # The ConvertFrom-SecureString must be called on the [SecureString] instance to be able to
+    # store it in the environment or output variable
     - name: MySQL initialize data directory
-      run: |
-        mysqld.exe --initialize-insecure --console
+      id: initializes-initialize-mysql-data-folder
+      run: >-
+        $regEx = '(?:\[Note\] A temporary password is generated for \w+@localhost: )(?<password>.+)'
+
+        $securedPassword = (mysqld.exe --initialize --console 2>&1 |
+        Select-String -Pattern $regEx).Matches[0].Groups['password'].Value |
+        ConvertTo-SecureString -AsPlainText | ConvertFrom-SecureString
+
+        "SecuredPassword=$securedPassword" >> $env:GITHUB_OUTPUT
 
     - name: MySQL service install/start
       run: |
         mysqld.exe --install MySQL
         Start-Service MySQL
 
+    # The secured_password is store in the string form so we have to re-create the [SecureString]
+    # from this encrypted string and then it can be decrypted as normally would 😬
     - name: MySQL change ${{ secrets.DB_MYSQL_ROOT_USERNAME }} password
       run: >-
         "alter user '$env:DB_MYSQL_ROOT_USERNAME'@'localhost'
         identified by '$env:DB_MYSQL_ROOT_PASSWORD';" |
-        mysql.exe --user=$env:DB_MYSQL_ROOT_USERNAME --skip-password
+        mysql.exe --user=$env:DB_MYSQL_ROOT_USERNAME
+        --password=$($env:secured_password | ConvertTo-SecureString |
+        ConvertFrom-SecureString -AsPlainText)
+        --connect-expired-password
       env:
         DB_MYSQL_ROOT_PASSWORD: ${{ secrets.DB_MYSQL_ROOT_PASSWORD }}
         DB_MYSQL_ROOT_USERNAME: ${{ secrets.DB_MYSQL_ROOT_USERNAME }}
+        secured_password: ${{ steps.initializes-initialize-mysql-data-folder.outputs.SecuredPassword }}
 
     - name: MySQL time zone POSIX tables initialize download
       id: downloads-initialize-mysql-timezone-tables

diff --git a/.github/workflows/msvc2022-qt6.yml b/.github/workflows/msvc2022-qt6.yml
@@ -283,9 +283,18 @@ jobs:
       env:
         DB_MYSQL_HOST: ${{ secrets.DB_MYSQL_HOST_SSL }}
 
+    # The ConvertFrom-SecureString must be called on the [SecureString] instance to be able to
+    # store it in the environment or output variable
     - name: MySQL initialize data directory
-      run: |
-        mysqld.exe --initialize-insecure --console
+      id: initializes-initialize-mysql-data-folder
+      run: >-
+        $regEx = '(?:\[MY-010454\].*temporary.*: )(?<password>.+)'
+
+        $securedPassword = (mysqld.exe --initialize --console 2>&1 |
+        Select-String -Pattern $regEx).Matches[0].Groups['password'].Value |
+        ConvertTo-SecureString -AsPlainText | ConvertFrom-SecureString
+
+        "SecuredPassword=$securedPassword" >> $env:GITHUB_OUTPUT
 
     # We can't generate certificates first and then initialize MySQL data folder, MySQL throws
     # error, it also generates all keys and certificates so we have remove them to generate are own
@@ -406,18 +415,24 @@ jobs:
 
     # Securing the root account even on localhost is for testing to make sure that everything
     # works as expected
+    # The secured_password is store in the string form so we have to re-create the [SecureString]
+    # from this encrypted string and then it can be decrypted as normally would 😬
     - name: MySQL change ${{ secrets.DB_MYSQL_ROOT_USERNAME }} password
       run: >-
         "alter user '$env:DB_MYSQL_ROOT_USERNAME'@'localhost'
         identified with caching_sha2_password by '$env:DB_MYSQL_ROOT_PASSWORD'
         require issuer '${{ env.DB_MYSQL_SSL_SUBJECT_CA }}' and
         subject '${{ env.DB_MYSQL_SSL_SUBJECT_CLIENT }}';" |
-        mysql.exe --user=$env:DB_MYSQL_ROOT_USERNAME --skip-password
+        mysql.exe --user=$env:DB_MYSQL_ROOT_USERNAME
+        --password=$($env:secured_password | ConvertTo-SecureString |
+        ConvertFrom-SecureString -AsPlainText)
+        --connect-expired-password
       env:
         DB_MYSQL_ROOT_PASSWORD: ${{ secrets.DB_MYSQL_ROOT_PASSWORD }}
         DB_MYSQL_ROOT_USERNAME: ${{ secrets.DB_MYSQL_ROOT_USERNAME }}
         DB_MYSQL_SSL_SUBJECT_CA: ${{ secrets.DB_MYSQL_SSL_SUBJECT_CA }}
         DB_MYSQL_SSL_SUBJECT_CLIENT: ${{ secrets.DB_MYSQL_SSL_SUBJECT_CLIENT }}
+        secured_password: ${{ steps.initializes-initialize-mysql-data-folder.outputs.SecuredPassword }}
 
     - name: MySQL time zone POSIX tables initialize download
       id: downloads-initialize-mysql-timezone-tables

diff --git a/.github/workflows/msys2-ucrt64.yml b/.github/workflows/msys2-ucrt64.yml
@@ -112,23 +112,38 @@ jobs:
       env:
         DB_MYSQL_HOST: ${{ secrets.DB_MYSQL_HOST }}
 
+    # The ConvertFrom-SecureString must be called on the [SecureString] instance to be able to
+    # store it in the environment or output variable
     - name: MySQL initialize data directory
-      run: |
-        mysqld.exe --initialize-insecure --console
+      id: initializes-initialize-mysql-data-folder
+      run: >-
+        $regEx = '(?:\[MY-010454\].*temporary.*: )(?<password>.+)'
+
+        $securedPassword = (mysqld.exe --initialize --console 2>&1 |
+        Select-String -Pattern $regEx).Matches[0].Groups['password'].Value |
+        ConvertTo-SecureString -AsPlainText | ConvertFrom-SecureString
+
+        "SecuredPassword=$securedPassword" >> $env:GITHUB_OUTPUT
 
     - name: MySQL service install/start
       run: |
         mysqld.exe --install MySQL
         Start-Service MySQL
 
+    # The secured_password is store in the string form so we have to re-create the [SecureString]
+    # from this encrypted string and then it can be decrypted as normally would 😬
     - name: MySQL change ${{ secrets.DB_MYSQL_ROOT_USERNAME }} password
       run: >-
         "alter user '$env:DB_MYSQL_ROOT_USERNAME'@'localhost'
         identified with caching_sha2_password by '$env:DB_MYSQL_ROOT_PASSWORD';" |
-        mysql.exe --user=$env:DB_MYSQL_ROOT_USERNAME --skip-password
+        mysql.exe --user=$env:DB_MYSQL_ROOT_USERNAME
+        --password=$($env:secured_password | ConvertTo-SecureString |
+        ConvertFrom-SecureString -AsPlainText)
+        --connect-expired-password
       env:
         DB_MYSQL_ROOT_PASSWORD: ${{ secrets.DB_MYSQL_ROOT_PASSWORD }}
         DB_MYSQL_ROOT_USERNAME: ${{ secrets.DB_MYSQL_ROOT_USERNAME }}
+        secured_password: ${{ steps.initializes-initialize-mysql-data-folder.outputs.SecuredPassword }}
 
     - name: MySQL time zone POSIX tables initialize download
       id: downloads-initialize-mysql-timezone-tables