From 3b38a8445cae8ad4f2c4cfca93f8b28826b25b92 Mon Sep 17 00:00:00 2001 From: silverqx Date: Mon, 10 Jun 2024 11:26:44 +0200 Subject: [PATCH] workflows get rid of mysqld --initialize-insecure Also used [SecureString] to store a temporary password. --- .github/workflows/clang-cl-qt6.yml | 21 ++++++++++++++++++--- .github/workflows/msvc2019-qt5.yml | 21 ++++++++++++++++++--- .github/workflows/msvc2022-qt6.yml | 21 ++++++++++++++++++--- .github/workflows/msys2-ucrt64.yml | 21 ++++++++++++++++++--- 4 files changed, 72 insertions(+), 12 deletions(-) diff --git a/.github/workflows/clang-cl-qt6.yml b/.github/workflows/clang-cl-qt6.yml index 912b6fc57..a2639f3bc 100644 --- a/.github/workflows/clang-cl-qt6.yml +++ b/.github/workflows/clang-cl-qt6.yml @@ -270,9 +270,18 @@ jobs: env: DB_MYSQL_HOST: ${{ secrets.DB_MYSQL_HOST_SSL }} + # The ConvertFrom-SecureString must be called on the [SecureString] instance to be able to + # store it in the environment or output variable - name: MySQL initialize data directory - run: | - mysqld.exe --initialize-insecure --console + id: initializes-initialize-mysql-data-folder + run: >- + $regEx = '(?:\[MY-010454\].*temporary.*: )(?.+)' + + $securedPassword = (mysqld.exe --initialize --console 2>&1 | + Select-String -Pattern $regEx).Matches[0].Groups['password'].Value | + ConvertTo-SecureString -AsPlainText | ConvertFrom-SecureString + + "SecuredPassword=$securedPassword" >> $env:GITHUB_OUTPUT # We can't generate certificates first and then initialize MySQL data folder, MySQL throws # error, it also generates all keys and certificates so we have remove them to generate are own @@ -393,18 +402,24 @@ jobs: # Securing the root account even on localhost is for testing to make sure that everything # works as expected + # The secured_password is store in the string form so we have to re-create the [SecureString] + # from this encrypted string and then it can be decrypted as normally would 😬 - name: MySQL change ${{ secrets.DB_MYSQL_ROOT_USERNAME }} password run: >- "alter user '$env:DB_MYSQL_ROOT_USERNAME'@'localhost' identified with caching_sha2_password by '$env:DB_MYSQL_ROOT_PASSWORD' require issuer '${{ env.DB_MYSQL_SSL_SUBJECT_CA }}' and subject '${{ env.DB_MYSQL_SSL_SUBJECT_CLIENT }}';" | - mysql.exe --user=$env:DB_MYSQL_ROOT_USERNAME --skip-password + mysql.exe --user=$env:DB_MYSQL_ROOT_USERNAME + --password=$($env:secured_password | ConvertTo-SecureString | + ConvertFrom-SecureString -AsPlainText) + --connect-expired-password env: DB_MYSQL_ROOT_PASSWORD: ${{ secrets.DB_MYSQL_ROOT_PASSWORD }} DB_MYSQL_ROOT_USERNAME: ${{ secrets.DB_MYSQL_ROOT_USERNAME }} DB_MYSQL_SSL_SUBJECT_CA: ${{ secrets.DB_MYSQL_SSL_SUBJECT_CA }} DB_MYSQL_SSL_SUBJECT_CLIENT: ${{ secrets.DB_MYSQL_SSL_SUBJECT_CLIENT }} + secured_password: ${{ steps.initializes-initialize-mysql-data-folder.outputs.SecuredPassword }} - name: MySQL time zone POSIX tables initialize download id: downloads-initialize-mysql-timezone-tables diff --git a/.github/workflows/msvc2019-qt5.yml b/.github/workflows/msvc2019-qt5.yml index 6956ee7e9..e7e370288 100644 --- a/.github/workflows/msvc2019-qt5.yml +++ b/.github/workflows/msvc2019-qt5.yml @@ -94,23 +94,38 @@ jobs: env: DB_MYSQL_HOST: ${{ secrets.DB_MYSQL_HOST }} + # The ConvertFrom-SecureString must be called on the [SecureString] instance to be able to + # store it in the environment or output variable - name: MySQL initialize data directory - run: | - mysqld.exe --initialize-insecure --console + id: initializes-initialize-mysql-data-folder + run: >- + $regEx = '(?:\[Note\] A temporary password is generated for \w+@localhost: )(?.+)' + + $securedPassword = (mysqld.exe --initialize --console 2>&1 | + Select-String -Pattern $regEx).Matches[0].Groups['password'].Value | + ConvertTo-SecureString -AsPlainText | ConvertFrom-SecureString + + "SecuredPassword=$securedPassword" >> $env:GITHUB_OUTPUT - name: MySQL service install/start run: | mysqld.exe --install MySQL Start-Service MySQL + # The secured_password is store in the string form so we have to re-create the [SecureString] + # from this encrypted string and then it can be decrypted as normally would 😬 - name: MySQL change ${{ secrets.DB_MYSQL_ROOT_USERNAME }} password run: >- "alter user '$env:DB_MYSQL_ROOT_USERNAME'@'localhost' identified by '$env:DB_MYSQL_ROOT_PASSWORD';" | - mysql.exe --user=$env:DB_MYSQL_ROOT_USERNAME --skip-password + mysql.exe --user=$env:DB_MYSQL_ROOT_USERNAME + --password=$($env:secured_password | ConvertTo-SecureString | + ConvertFrom-SecureString -AsPlainText) + --connect-expired-password env: DB_MYSQL_ROOT_PASSWORD: ${{ secrets.DB_MYSQL_ROOT_PASSWORD }} DB_MYSQL_ROOT_USERNAME: ${{ secrets.DB_MYSQL_ROOT_USERNAME }} + secured_password: ${{ steps.initializes-initialize-mysql-data-folder.outputs.SecuredPassword }} - name: MySQL time zone POSIX tables initialize download id: downloads-initialize-mysql-timezone-tables diff --git a/.github/workflows/msvc2022-qt6.yml b/.github/workflows/msvc2022-qt6.yml index 7970c9d69..0f38bcfba 100644 --- a/.github/workflows/msvc2022-qt6.yml +++ b/.github/workflows/msvc2022-qt6.yml @@ -283,9 +283,18 @@ jobs: env: DB_MYSQL_HOST: ${{ secrets.DB_MYSQL_HOST_SSL }} + # The ConvertFrom-SecureString must be called on the [SecureString] instance to be able to + # store it in the environment or output variable - name: MySQL initialize data directory - run: | - mysqld.exe --initialize-insecure --console + id: initializes-initialize-mysql-data-folder + run: >- + $regEx = '(?:\[MY-010454\].*temporary.*: )(?.+)' + + $securedPassword = (mysqld.exe --initialize --console 2>&1 | + Select-String -Pattern $regEx).Matches[0].Groups['password'].Value | + ConvertTo-SecureString -AsPlainText | ConvertFrom-SecureString + + "SecuredPassword=$securedPassword" >> $env:GITHUB_OUTPUT # We can't generate certificates first and then initialize MySQL data folder, MySQL throws # error, it also generates all keys and certificates so we have remove them to generate are own @@ -406,18 +415,24 @@ jobs: # Securing the root account even on localhost is for testing to make sure that everything # works as expected + # The secured_password is store in the string form so we have to re-create the [SecureString] + # from this encrypted string and then it can be decrypted as normally would 😬 - name: MySQL change ${{ secrets.DB_MYSQL_ROOT_USERNAME }} password run: >- "alter user '$env:DB_MYSQL_ROOT_USERNAME'@'localhost' identified with caching_sha2_password by '$env:DB_MYSQL_ROOT_PASSWORD' require issuer '${{ env.DB_MYSQL_SSL_SUBJECT_CA }}' and subject '${{ env.DB_MYSQL_SSL_SUBJECT_CLIENT }}';" | - mysql.exe --user=$env:DB_MYSQL_ROOT_USERNAME --skip-password + mysql.exe --user=$env:DB_MYSQL_ROOT_USERNAME + --password=$($env:secured_password | ConvertTo-SecureString | + ConvertFrom-SecureString -AsPlainText) + --connect-expired-password env: DB_MYSQL_ROOT_PASSWORD: ${{ secrets.DB_MYSQL_ROOT_PASSWORD }} DB_MYSQL_ROOT_USERNAME: ${{ secrets.DB_MYSQL_ROOT_USERNAME }} DB_MYSQL_SSL_SUBJECT_CA: ${{ secrets.DB_MYSQL_SSL_SUBJECT_CA }} DB_MYSQL_SSL_SUBJECT_CLIENT: ${{ secrets.DB_MYSQL_SSL_SUBJECT_CLIENT }} + secured_password: ${{ steps.initializes-initialize-mysql-data-folder.outputs.SecuredPassword }} - name: MySQL time zone POSIX tables initialize download id: downloads-initialize-mysql-timezone-tables diff --git a/.github/workflows/msys2-ucrt64.yml b/.github/workflows/msys2-ucrt64.yml index def0e4a61..81a35757d 100644 --- a/.github/workflows/msys2-ucrt64.yml +++ b/.github/workflows/msys2-ucrt64.yml @@ -112,23 +112,38 @@ jobs: env: DB_MYSQL_HOST: ${{ secrets.DB_MYSQL_HOST }} + # The ConvertFrom-SecureString must be called on the [SecureString] instance to be able to + # store it in the environment or output variable - name: MySQL initialize data directory - run: | - mysqld.exe --initialize-insecure --console + id: initializes-initialize-mysql-data-folder + run: >- + $regEx = '(?:\[MY-010454\].*temporary.*: )(?.+)' + + $securedPassword = (mysqld.exe --initialize --console 2>&1 | + Select-String -Pattern $regEx).Matches[0].Groups['password'].Value | + ConvertTo-SecureString -AsPlainText | ConvertFrom-SecureString + + "SecuredPassword=$securedPassword" >> $env:GITHUB_OUTPUT - name: MySQL service install/start run: | mysqld.exe --install MySQL Start-Service MySQL + # The secured_password is store in the string form so we have to re-create the [SecureString] + # from this encrypted string and then it can be decrypted as normally would 😬 - name: MySQL change ${{ secrets.DB_MYSQL_ROOT_USERNAME }} password run: >- "alter user '$env:DB_MYSQL_ROOT_USERNAME'@'localhost' identified with caching_sha2_password by '$env:DB_MYSQL_ROOT_PASSWORD';" | - mysql.exe --user=$env:DB_MYSQL_ROOT_USERNAME --skip-password + mysql.exe --user=$env:DB_MYSQL_ROOT_USERNAME + --password=$($env:secured_password | ConvertTo-SecureString | + ConvertFrom-SecureString -AsPlainText) + --connect-expired-password env: DB_MYSQL_ROOT_PASSWORD: ${{ secrets.DB_MYSQL_ROOT_PASSWORD }} DB_MYSQL_ROOT_USERNAME: ${{ secrets.DB_MYSQL_ROOT_USERNAME }} + secured_password: ${{ steps.initializes-initialize-mysql-data-folder.outputs.SecuredPassword }} - name: MySQL time zone POSIX tables initialize download id: downloads-initialize-mysql-timezone-tables