Skip to content

chore(deps): update step-security/harden-runner digest to 0327a39 #438

chore(deps): update step-security/harden-runner digest to 0327a39

chore(deps): update step-security/harden-runner digest to 0327a39 #438

Workflow file for this run

name: Terraform
on: [push]
jobs:
# -- TESTS ------------------------------------------------------------------
tests:
name: Tests
runs-on: ubuntu-latest
env:
TF_VAR_tenancy_ocid: ${{secrets.OCI_TENANCY_OCID}}
TF_VAR_compartment_ocid: ${{secrets.OCI_COMPARTMENT_OCID}}
TF_VAR_user_ocid: ${{secrets.OCI_USER_OCID}}
TF_VAR_fingerprint: ${{secrets.OCI_FINGERPRINT}}
TF_VAR_private_key: ${{secrets.OCI_PRIVATE_KEY}}
TF_VAR_region: ${{secrets.OCI_REGION}}
TF_VAR_cf_account_id: ${{secrets.CLOUDFLARE_ACCOUNT_ID}}
CLOUDFLARE_API_TOKEN: ${{secrets.CLOUDFLARE_API_TOKEN}}
steps:
- name: Harden GitHub Actions Runner
uses: step-security/harden-runner@0327a39356be0e062df2bb0bd2a3e036b72a8393
with:
egress-policy: block
allowed-endpoints: >
checkpoint-api.hashicorp.com:443
registry.terraform.io:443
github.com:443
iaas.uk-london-1.oraclecloud.com:443
identity.uk-london-1.oci.oraclecloud.com:443
objects.githubusercontent.com:443
releases.hashicorp.com:443
api.cloudflare.com:443
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Setup Terraform
uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
- name: Terraform Format
id: fmt
run: terraform fmt -check
working-directory: ./terraform
continue-on-error: true
- name: Terraform Init
id: init
working-directory: ./terraform
run: terraform init -upgrade
- name: Terraform Plan
id: plan
working-directory: ./terraform
run: terraform plan
# -- SAST SCAN --------------------------------------------------------------
code-security:
name: Code Security
runs-on: ubuntu-latest
needs: tests
# Skip any PR created by dependabot to avoid permission issues
if: (github.actor != 'dependabot[bot]')
steps:
- name: Harden GitHub Actions Runner
uses: step-security/harden-runner@0327a39356be0e062df2bb0bd2a3e036b72a8393
with:
egress-policy: block
allowed-endpoints: >
github.com:443
api.github.com:443
pipelines.actions.githubusercontent.com:443
pypi.org:443
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Perform Scan
uses: ShiftLeftSecurity/scan-action@master
env:
WORKSPACE: https://github.com/${{ github.repository }}/blob/${{ github.sha }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SCAN_ANNOTATE_PR: true
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: reports
path: reports
# -- DOCUMENTATION ----------------------------------------------------------
documentation:
name: Documentation
runs-on: ubuntu-latest
needs: tests
steps:
- name: Harden GitHub Actions Runner
uses: step-security/harden-runner@0327a39356be0e062df2bb0bd2a3e036b72a8393
with:
egress-policy: block
allowed-endpoints: >
github.com:443
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
ref: 'main' # Force checkout of main branch to avoid caching from previous jobs
- name: Terraform Docs
uses: terraform-docs/gh-actions@f6d59f89a280fa0a3febf55ef68f146784b20ba0 # tag=v1.0.0
with:
working-dir: ./terraform
output-file: USAGE.md
output-method: inject
git-push: "true"
git-commit-message: "chore(docs): update Terraform docs"
# -- RELEASE ----------------------------------------------------------------
release:
name: Release
runs-on: ubuntu-latest
needs:
- tests
- code-security
- documentation
if: github.ref == 'refs/heads/main'
steps:
- name: Harden GitHub Actions Runner
uses: step-security/harden-runner@0327a39356be0e062df2bb0bd2a3e036b72a8393
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
ref: 'main' # Force checkout of main branch to avoid caching from previous jobs
persist-credentials: false
- name: Semantic Release
uses: cycjimmy/semantic-release-action@8e58d20d0f6c8773181f43eb74d6a05e3099571d # v3.4.2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}