chore(deps): Bump github/codeql-action from 2.20.4 to 2.21.0 #2240
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: plan-examples | |
on: | |
# Review https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ and better understand the risks of using pull_request_target before making major changes to this workflow. | |
pull_request_target: | |
branches: | |
- main | |
workflow_dispatch: | |
concurrency: | |
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' | |
cancel-in-progress: true | |
permissions: | |
contents: read | |
jobs: | |
getExampleDirectories: | |
name: Get example directories | |
runs-on: ubuntu-latest | |
# Do not remove environment setup without considering changes to pull_request_target and checkout of PR, as it may lead to checks running automatically against malicious code in PRs. | |
environment: EKS Blueprints Test | |
# Skip running on forks since it won't have access to secrets | |
if: github.repository == 'aws-ia/terraform-aws-eks-blueprints' | |
outputs: | |
directories: ${{ steps.dirs.outputs.directories }} | |
steps: | |
# Be careful not to change this to explicit checkout from PR ref/code, as below we run a python code that may change from the PR code. | |
- name: Harden Runner | |
uses: step-security/harden-runner@v2 | |
with: | |
egress-policy: audit | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Get Terraform directories for evaluation | |
id: dirs | |
run: | | |
DIRS=$(python3 .github/scripts/plan-examples.py) | |
echo "directories=$DIRS" >> $GITHUB_OUTPUT | |
plan: | |
name: Plan examples | |
needs: getExampleDirectories | |
runs-on: ubuntu-latest | |
# Skip running on forks since it won't have access to secrets | |
if: github.repository == 'aws-ia/terraform-aws-eks-blueprints' | |
# These permissions are needed to interact with GitHub's OIDC Token endpoint. | |
permissions: | |
id-token: write | |
contents: read | |
strategy: | |
fail-fast: false | |
matrix: | |
directory: ${{ fromJson(needs.getExampleDirectories.outputs.directories) }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@v2 | |
with: | |
egress-policy: audit | |
- name: Remove default Terraform | |
run: rm -rf $(which terraform) | |
- name: checkout-merge | |
if: "contains(github.event_name, 'pull_request')" | |
uses: actions/checkout@v3 | |
with: | |
ref: refs/pull/${{github.event.pull_request.number}}/merge | |
- name: checkout | |
if: "!contains(github.event_name, 'pull_request')" | |
uses: actions/checkout@v3 | |
- uses: dorny/paths-filter@v2 | |
id: changes | |
with: | |
# Need to check not only the example directory | |
# but also the supporting module(s) code | |
# for plans (not for pre-commit) | |
filters: | | |
src: | |
- '${{ matrix.directory }}/**/*.(tf|yml|yaml)' | |
- 'modules/**/*.(tf|yml|yaml)' | |
- '*.tf' | |
- name: Configure AWS credentials from Test account | |
uses: aws-actions/[email protected] | |
if: steps.changes.outputs.src== 'true' | |
with: | |
role-to-assume: ${{ secrets.ROLE_TO_ASSUME }} | |
aws-region: us-west-2 | |
role-duration-seconds: 3600 | |
role-session-name: GithubActions-Session | |
- name: Terraform Job | |
uses: hashicorp/setup-terraform@v2 | |
if: steps.changes.outputs.src== 'true' | |
with: | |
terraform_version: 1.0.0 | |
- if: steps.changes.outputs.src== 'true' | |
run: terraform version | |
- name: Terraform Init | |
if: steps.changes.outputs.src== 'true' | |
run: terraform init -reconfigure | |
working-directory: ${{ matrix.directory }} | |
- name: Terraform Plan | |
if: steps.changes.outputs.src== 'true' | |
working-directory: ${{ matrix.directory }} | |
run: terraform plan -no-color |